I have put together a new Nmap script that queries the Lexmark S300-400 series for their configuration. The script queries port 9100/udp using a small MDNS packet and receives the configuration as response. The script simply parses out the TXT records and prints them. The lexmark-config script is available from the nmap-scripts page.
I made some small changes to the kerberos-get-realm script and have uploaded a version 0.2 of it. It’s available from the nmap-scripts page.
I created a new Nmap script today that attempts to discover the Kerberos realm and the server time. It does this by sending an incorrect AS-REQ request to the server. The Microsoft implementation of Kerberos responds with an error packet containing the correct Realm name. On systems with other implementation, the server time alone is returned. The script works against both TCP and UDP. It’s available for download at the dedicated nmap-scripts page over here.
Nmap 5.10-BETA2 was released by Fyodor as a X-mas present the other day. I was pleased to see that almost all of my scripts made it into this version. The remaining one, oracle-sid-brute, made it into SVN just a few minutes ago 🙂
For the full changelog of Nmap 5.10-BETA2 have a look here.
I just finished a dedicated page for the scripts I have created for Nmap. It’s available over here and contains the name of the scripts and brief descriptions of what they do. New scripts and versions will be announced here on the blog and the page will be updated accordingly. All scripts are available for download.
So, I took the time to re-write and change the Citrix scripts I published earlier. The scripts now work both against the Citrix ICA Browser service and the Citrix XML Service.
I cleaned up and documented the script some more. The packets sent to the server over udp and tcp now both have NULL_AUTH credentials. The new version is available here.
So, my friend Ian Vitek enlightened me again. Apparently when the published application list is long it’s split up into multiple packets and the client needs to keep reading them until the magic byte at offset 31 is toggled to 1.
I have adjusted my script so that it checks for this and prints a complete list of published applications, instead of just the first packets. The script can be downloaded from here.
For more information on how to get it running, check my earlier posts or post a comment to the article.
Lua turned out to be quite entertaining so I have spent some time coding some more scripts for Nmap. The first script I finished was nfs-showmount.nse which can be used to query a remote server for any NFS shares:
nmap --script nfs-showmount -p 111 192.168.56.50
Interesting ports on yoda.localdomain (192.168.56.50):
PORT STATE SERVICE
111/tcp open rpcbind
Host script results:
| /home/storage/backup 192.168.56.0/255.255.255.0 192.168.56.66/255.255.255.255
|_ /home 192.168.56.0/255.255.255.0
The next one citrix-published-applications, queries a Citrix server for any published applications:
sudo nmap -sU --script citrix-published-applications -p 1604 192.168.56.5
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-24 22:09 CET
Interesting ports on 192.168.56.5:
PORT STATE SERVICE
1604/udp open unknown
|_ registry editor