Thank’s to some great effort put into the smb libraries by the folks over at nmap-dev, porting mbenum to Nmap wasn’t as hard as I’ve imagined. A first version has been committed to subversion a while ago but I forgot to publish this blog post at the time. Feel free to try it out! If you haven’t used mbenum before it’s a tool that allows you to get a good picture of a network by querying a single system.
Mbenum or the Nmap script smb-mbenum relies on being able to query the master browser for a particular domain or workgroup. You can find the master browser by sending a netbios query for the __MSBROWSE__ name. The Nmap script broadcast-netbios-master-browser can be used to identify the master browser for your broadcast domain by sending a netbios query to the broadcast address.
I received a bug report for my Nmap nfs-showmount script a few days ago. I ended up re-writing the whole thing as it was my first script, which is short for “ugly as hell”. I moved all NFS and RPC stuff into a new library called rpc.lua and added some more functionality as well.
I’ve also added two more scripts that make use of the library nfs-get-stats and nfs-get-dirlist. The first retrieves disk usage for each export and the second lists files on a share. They’re both available from the nmap-scripts page as usual.
I’ve just added some code to my Nmap MySQL library that enables query support. With this code in place it’s possible to run queries against MySQL directly from a Nmap script. In order to illustrate this I’ve added three scripts: mysql-list-users, mysql-list-databases and mysql-show-variables.
While messing around with the library I also cleaned up the code for mysql-brute and mysql-empty-password. All of the scripts that query the database obviously require credentials to do so. These can be provided on the command line using script arguments mysqluser and mysqlpassword or by running the mysql-brute or mysql-empty-password on the same time. There are dependencies set up so that the query scripts wait until these two scripts have collected the credentials. Here’s some sample output from the scripts …
Two more scripts of my scripts were added to the development release of nmap, afp-showmount and dns-service-discovery. You can try them out either by downloading them from the nmap-scripts page or by checking out the latest development release over here.
I found a bug in the Nmap SNMP scripts that would trigger an endless loop if the MIB that they attempt to walk does not exist. This would occur if they’re run against anything else than Windows. I’ve now addressed this and released a 0.2 version of them. They’re available from the nmap-scripts page.
I’ve update the nmap-script page with two scripts for MySQL. The first simply checks whether the root user has a blank password set. The second script allows to perform online password guessing against MySql.
I have been re-working my dns-service-discovery and lexmark-config scripts to make use of the nmap dns library. Why I failed to do this from the beginning is a mystery to me and others. The re-work went well and the end result allowed me to completely ditch the mdns library. In order to achieve what I needed I had to make some slight changes to the dns library which I have posted as a patch to the nmap-dev list.
While re-working the dns-service-discovery script I totally changed the output as well. It’s now less DNS:ish and more focused around the information. Here’s an example of the new format:
As the dns library is in use by other scripts I’ll wait until the changes are tested and confirmed not to break stuff before I post it here. If someone is eager to try the new scripts out the patch and scripts can be found here:
Just posted some code (libraries and scripts) that allows Nmap to do LDAP queries. It’s available from the nmap-scripts page. The code consists of two libraries asn1 and ldap that do most of the work. The LDAP library supports the SearchRequest, BindRequest and UnbindRequest operations and therefore supports both unauthenticated and authenticated searches.
The functionality is still somewhat limited and the library has the following shortcomings in my opinion:
At the moment it only supports simple bind
It lacks filter parsing support. That said, it supports filters, but they need to be supplied using tables rather than their textual representation as described in RFC 2254.
SSL is currently not supported mainly because I didn’t have an SSL enabled LDAP server running.
Some attributes returned by AD fail parsing and return a blob of hex characters.
There’s an annoying GUI indentation bug that needs tending to.
Despite these shortcomings I’m releasing a first version of the library and scripts. The scripts have undergone limited testing against both OpenLDAP and ActiveDirectory.
I just posted a new Nmap script that uses the DNS Service Discovery protocol to enumerate information from a remote host. The script queries the Multicast DNS Service/Bonjour/ZeroConf for a list of services and then queries each service for additional information. The results are decoded and presented in a list similar to the one below. Systems that are known to ship with this service active include Apple OS X, Ubuntu and many printers.
The script is available over at the Nmap script page and should be run like this: