Tag Archives: nse

Pulling Cisco configs with Nmap

A few hours ago I committed a new script created by Vikas Singhal to Nmap. It implements the functionality to initiate a tftp transfer of a Cisco configuration through SNMP. In order to do so, the device obviously needs to support this functionality, and you need to know the private SNMP-community string.

The script can either save the configuration to a file in a directory specified as a script argument or displays it on screen. In order to achieve this, I’ve contributed with a minimal tftp server, implemented as a Nmap NSE library. This eliminates the need to setup and configure a separate tftp-server as it’s all being taken care of transparently by Nmap.

In order to try it out you can either update from subversion or download the tftp library and the snmp-ios-config script and place them in nselib and the scripts directory. For more information on how to run the script, check out the documentation.

Nmap mssql scripts feature boost

Chris Woodbury and I have been working on some new exciting features and enhancements to the ms-sql scripts and library in Nmap lately. We’ve been working in a separate branch which will hopefully get merged to trunk really soon. Chris work has been of high quality and very inspiring! It got me to pick up some of the stuff I meant to implement, but hadn’t got to, and has brought a number of new great ideas. For a good summary of changes consult the following nmap-dev mailing list thread.

Among the many new features and enhancements I’m really happy to see are:

  • Support for more precise version checking, by using the prelogin packet (same technique as SQLPing)
  • Support for connections using named pipes, rather than tcp-sockets
  • Support for integrated authentication (Ntlmv1) in addition to the existing SQL authentication
  • Support for connecting to named instances in addition to specific tcp ports
  • Support for running each of the ms-sql scripts against all instances detected by the discovery mechanisms

If you would like to give the scripts a run they’re available from here, and will hopefully be merged to trunk really soon.

15 new nmap scripts

I just posted 15 new nmap scripts to the nmap-dev mailing list. For anyone curios to check them out have a look over here. I’ve been working on these new scripts for a while and they add yet more database support to nmap allowing users to perform password guessing against both Oracle and Informix servers. In addition custom SQL queries can be made to Informix servers directly from nmap.

I’ve also created a number of scripts which can be suitable when pen testing Lotus Domino. These scripts include support for collecting Internet password hashes and user ID files. ID files can be collected both as an authenticated user from the person web view or unauthenticated using the vulnerability CVE-2006-5835. Oh, and you can add Lotus Domino 8.5 to the list of vulnerable versions in that advisory. There are also two scripts that allow you to interact with the IBM Lotus Domino remote console. One script allows for password guessing, while the other one allows you to interact with the console ones your authenticated.

There’s a tiny script in the zip file that supports querying for registered objects in a ORB Naming Service using the GIOP protocol.

Last but not least I’ve created a framework for other password guessing scripts to use. The framework runs using multiple worker threads and does all the looping, iteration and other basic logic used by most of my previous brute scripts.

The zip file included in the nmap-dev post can be downloaded from here. Please help me out testing the scripts so that they can be added to the subversion version of nmap!

Detecting Apple Mac OS X AFP vulnerability CVE-2010-0533 with Nmap

During the development of my AFP library for Nmap I came a cross a critical vulnerability in Apple’s implementation of AFP on Snow Leopard. The vulnerability occurs due to improper input validation and allows an attacker to access (list, read, and/or write) files in the parent directory of any AFP sharepoint.

Continue reading

5 new SNMP scripts in Nmap SVN

As of yesterday there are now 5 new SNMP scripts in the development release of Nmap. I commited a new ASN.1 library a re-worked SNMP library and 5 new scripts. The new scripts are:

  • snmp-netstat shows listening and connected sockets
  • snmp-processes shows process information including name, pid, path and parameters
  • snmp-win32-services shows the names of running Windows services
  • snmp-win32-shares shows the names and path of Windows shares
  • snmp-win32-software shows a list of installed Windows software
  • snmp-win32-users shows a list of local Windows users

Make sure to check them out over at insecure.org. In order to use them you need to check out the development sources from subversion. More info on that over here.

SNMP scripts for nmap

I just finished writing a bunch of Windows oriented SNMP scripts for nmap. A zip file containing all of them is available from the nmap-scripts page. The archive currently includes:

  • snmp-get-windows-processes.nse
  • snmp-get-windows-services.nse
  • snmp-get-windows-shares.nse
  • snmp-get-windows-software.nse
  • snmp-get-windows-users.nse

I have included some sample output in the full article.

Continue reading

dns work in nmap

I have been re-working my dns-service-discovery and lexmark-config scripts to make use of the nmap dns library. Why I failed to do this from the beginning is a mystery to me and others. The re-work went well and the end result allowed me to completely ditch the mdns library. In order to achieve what I needed I had to make some slight changes to the dns library which I have posted as a patch to the nmap-dev list.

While re-working the dns-service-discovery script I totally changed the output as well. It’s now less DNS:ish and more focused around the information. Here’s an example of the new format:

As the dns library is in use by other scripts I’ll wait until the changes are tested and confirmed not to break stuff before I post it here. If someone is eager to try the new scripts out the patch and scripts can be found here:

http://seclists.org/nmap-dev/2010/q1/92
http://seclists.org/nmap-dev/2010/q1/87