Tag Archives: scripts

SNMP scripts for nmap

I just finished writing a bunch of Windows oriented SNMP scripts for nmap. A zip file containing all of them is available from the nmap-scripts page. The archive currently includes:

  • snmp-get-windows-processes.nse
  • snmp-get-windows-services.nse
  • snmp-get-windows-shares.nse
  • snmp-get-windows-software.nse
  • snmp-get-windows-users.nse

I have included some sample output in the full article.

Continue reading

dns work in nmap

I have been re-working my dns-service-discovery and lexmark-config scripts to make use of the nmap dns library. Why I failed to do this from the beginning is a mystery to me and others. The re-work went well and the end result allowed me to completely ditch the mdns library. In order to achieve what I needed I had to make some slight changes to the dns library which I have posted as a patch to the nmap-dev list.

While re-working the dns-service-discovery script I totally changed the output as well. It’s now less DNS:ish and more focused around the information. Here’s an example of the new format:

As the dns library is in use by other scripts I’ll wait until the changes are tested and confirmed not to break stuff before I post it here. If someone is eager to try the new scripts out the patch and scripts can be found here:

http://seclists.org/nmap-dev/2010/q1/92
http://seclists.org/nmap-dev/2010/q1/87

LDAP for Nmap

Just posted some code (libraries and scripts) that allows Nmap to do LDAP queries. It’s available from the nmap-scripts page. The code consists of two libraries asn1 and ldap that do most of the work. The LDAP library supports the SearchRequest, BindRequest and UnbindRequest operations and therefore supports both unauthenticated and authenticated searches.

The functionality is still somewhat limited and the library has the following shortcomings in my opinion:

  • At the moment it only supports simple bind
  • It lacks filter parsing support. That said, it supports filters, but they need to be supplied using tables rather than their textual representation as described in RFC 2254.
  • SSL is currently not supported mainly because I didn’t have an SSL enabled LDAP server running.
  • Some attributes returned by AD fail parsing and return a blob of hex characters.
  • There’s an annoying GUI indentation bug that needs tending to.

Despite these shortcomings I’m releasing a first version of the library and scripts. The scripts have undergone limited testing against both OpenLDAP and ActiveDirectory.

dns-service-discovery nmap script

I just posted a new Nmap script that uses the DNS Service Discovery protocol to enumerate information from a remote host. The script queries the Multicast DNS Service/Bonjour/ZeroConf for a list of services and then queries each service for additional information. The results are decoded and presented in a list similar to the one below. Systems that are known to ship with this service active include Apple OS X, Ubuntu and many printers.

The script is available over at the Nmap script page and should be run like this:

Here’s some sample output:

PORT     STATE   SERVICE
5353/udp open zeroconf
| dns-service-discovery:
|   Service: _workstation._tcp.local
|     Answers: 5
|       _workstation._tcp.local PTR IN
|         name: _workstation._tcp.local
|       patrik-laptop [08:00:aa:bb:cc:dd]._workstation._tcp.local TXT IN
|       patrik-laptop [08:00:aa:bb:cc:dd]._workstation._tcp.local SRV IN
|         priority: 0
|         weight: 0
|         port: 9
|         target: patrik-laptop.local
|       patrik-laptop.local AAAA IN
|         addr: fe80:0:0:0:a00:27ff:aabb:ccdd
|       patrik-laptop.local A IN
|_        addr: 192.168.0.100

kerberos-get-realm script

I created a new Nmap script today that attempts to discover the Kerberos realm and the server time. It does this by sending an incorrect AS-REQ request to the server. The Microsoft implementation of Kerberos responds with an error packet containing the correct Realm name. On systems with other implementation, the server time alone is returned. The script works against both TCP and UDP. It’s available for download at the dedicated nmap-scripts page over here.

Two more nmap scripts

Lua turned out to be quite entertaining so I have spent some time coding some more scripts for Nmap. The first script I finished was nfs-showmount.nse which can be used to query a remote server for any NFS shares:

Interesting ports on yoda.localdomain (192.168.56.50):
PORT    STATE SERVICE
111/tcp open  rpcbind

Host script results:
|  nfs-showmount:
|  /home/storage/backup 192.168.56.0/255.255.255.0 192.168.56.66/255.255.255.255
|_ /home 192.168.56.0/255.255.255.0

The next one citrix-published-applications, queries a Citrix server for any published applications:

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-24 22:09 CET
Interesting ports on 192.168.56.5:
PORT     STATE SERVICE
1604/udp open  unknown
|  citrix-published-applications:
|  Notepad
|  iexplorer
|_ registry editor