adrien/lanScan
adrien/lanScan
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

du script working!

Browse Source
This commit is contained in:
Adrien MALINGREY 2023-05-10 16:15:36 +02:00
parent a3c06ef825
commit 0ffd304d2d
5 changed files with 183 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nmap_cmd.xsl
View File

@ -10,11 +10,7 @@
<xsl:template match="lanScan"> <xsl:template match="lanScan">
<xsl:text>nmap -v -T4 -p </xsl:text> <xsl:text>nmap -v -T4 -p </xsl:text>
<xsl:apply-templates select="//service[not(.=preceding::*)]" /> <xsl:apply-templates select="//service[not(.=preceding::*)]" />
<<<<<<< HEAD <xsl:text> --script nse/ --datadir nse/ --script-args-file nse_args.ini -oX "</xsl:text>
<xsl:text> --script nse/ -oX "</xsl:text>
=======
<xsl:text> --script "nse/" -oX "</xsl:text>
>>>>>>> 5378e16e2468588a441a1e37ceb38239f0851374
<xsl:value-of select="@scanpath"/> <xsl:value-of select="@scanpath"/>
<xsl:text>.tmp" </xsl:text> <xsl:text>.tmp" </xsl:text>
<xsl:apply-templates select="//host"/> <xsl:apply-templates select="//host"/>

2
nse/http-info.nse
View File

@ -7,7 +7,7 @@ Get and return a page info
--- ---
-- @args http-get.path Path to get. Default /. -- @args http-get.path Path to get. Default /.
-- --
-- @usage nmap -p80 --script http-info.nse --script-args http-info.path=/ <target> -- @usage nmap -p80 --script http-info.nse --script-args http-info.path=/ <host>
-- --
-- @output -- @output
-- status: 200 -- status: 200

2
nse/nse_args.ini Normal file
View File

@ -0,0 +1,2 @@
smbuser=<user name>
smbpassword=<user password>

257
nse/smb-shares-du.nse
View File

@ -1,13 +1,35 @@
local stdnse = require "stdnse" local stdnse = require "stdnse"
local smb = require "smb" local smb = require "smb"
local msrpc = require "msrpc" local msrpc = require "msrpc"
local msrpctypes = require "msrpctypes" local bin = require "bin"
hostrule = function(host) description = [[
Return free and total size in octets of each SMB shares
]]
---
-- @args See the documentation for the smbauth library.
--
-- @usage nmap -p445 --script smb-shares-du.nse <host>
--
-- @output
-- Host script results:
-- | smb-shares-du:
-- | data:
-- | FreeSize: 38495883264
-- | TotalSize: 500961574912
-- |_ IPC$: NT_STATUS_ACCESS_DENIED
---
categories = {"discovery", "intrusive"}
author = "Adrien Malingrey"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
hostrule = function(host)
return smb.get_port(host) ~= nil return smb.get_port(host) ~= nil
end end
action = function(host) action = function(host)
local status, shares, extra local status, shares, extra
local response = stdnse.output_table() local response = stdnse.output_table()
@ -21,119 +43,154 @@
-- Get more information on each share -- Get more information on each share
for i = 1, #shares, 1 do for i = 1, #shares, 1 do
local share = shares[i] local share = shares[i]
stdnse.debug1("SMB: Getting information for share: %s", share)
status, result = get_share_info(host, share) local status, result = get_share_info(host, share)
response[share] = result response[share] = result
end end
--table.sort(response)
return response return response
end
TRANS2_QUERY_FS_INFORMATION = 0x0003
SMB_QUERY_FS_SIZE_INFO = 0x0103
---Attempts to retrieve additional information about a share. Will fail unless we have
-- administrative access.
--
--@param host The host object.
--@return Status (true or false).
--@return A table of information about the share (if status is true) or an an error string (if
-- status is false).
function get_share_info(host, share)
local status, smbstate, err
local hostaddress = (host.name ~= '' and host.name) or host.ip
local path = "\\\\" .. hostaddress .. "\\" .. share
status, smbstate = smb.start(host)
status, err = smb.negotiate_protocol(smbstate, {})
status, err = smb.start_session(smbstate, {})
status, err = smb.tree_connect(smbstate, path, {})
stdnse.debug1("SMB: Getting information for share: %s", path)
local status, err = send_transaction2(smbstate, TRANS2_QUERY_FS_INFORMATION, bin.pack("<S", SMB_QUERY_FS_SIZE_INFO))
if ( not(status) ) then
status, err = smb.stop(smbstate)
return false, "Failed to send data to server: send_transaction2"
end end
local status, response = receive_transaction2(smbstate)
if ( not(status) ) then
status, err = smb.stop(smbstate)
return false, response
end
---Attempts to retrieve additional information about a share. Will fail unless we have local pos, totalAllocationUnits, totalFreeAllocationUnits, sectorsPerAllocationUnit, bytesPerSector = bin.unpack("<LLII", response.data)
-- administrative access.
-- status, err = smb.stop(smbstate)
--@param host The host object.
--@return Status (true or false). return true, {
--@return A table of information about the share (if status is true) or an an error string (if TotalSize = totalAllocationUnits * sectorsPerAllocationUnit * bytesPerSector,
-- status is false). FreeSize = totalFreeAllocationUnits * sectorsPerAllocationUnit * bytesPerSector
function get_share_info(host, name) }
end
-- Taken from smb lib
function send_transaction2(smbstate, sub_command, function_parameters, function_data, overrides)
overrides = overrides or {}
local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, pid, mid
local header, parameters, data
local parameter_offset = 0
local parameter_size = 0
local data_offset = 0
local data_size = 0
local total_word_count, total_data_count, reserved1, parameter_count, parameter_displacement, data_count, data_displacement, setup_count, reserved2
local response = {} local response = {}
-- Create the SMB session -- Header is 0x20 bytes long (not counting NetBIOS header).
local status, smbstate = msrpc.start_smb(host, msrpc.SRVSVC_PATH) header = smb.smb_encode_header(smbstate, smb.command_codes['SMB_COM_TRANSACTION2'], overrides) -- 0x32 = SMB_COM_TRANSACTION2
if(status == false) then
return false, smbstate if(function_parameters) then
parameter_offset = 0x44
parameter_size = #function_parameters
data_offset = #function_parameters + 33 + 32
end end
-- Bind to SRVSVC service -- Parameters are 0x20 bytes long.
local status, bind_result = msrpc.bind(smbstate, msrpc.SRVSVC_UUID, msrpc.SRVSVC_VERSION, nil) parameters = bin.pack("<SSSSCCSISSSSSCCS",
if(status == false) then parameter_size, -- Total parameter count.
smb.stop(smbstate) data_size, -- Total data count.
return false, bind_result 0x000a, -- Max parameter count.
0x3984, -- Max data count.
0x00, -- Max setup count.
0x00, -- Reserved.
0x0000, -- Flags (0x0000 = 2-way transaction, don't disconnect TIDs).
0x00001388, -- Timeout (0x00000000 = return immediately).
0x0000, -- Reserved.
parameter_size, -- Parameter bytes.
parameter_offset, -- Parameter offset.
data_size, -- Data bytes.
data_offset, -- Data offset.
0x01, -- Setup Count
0x00, -- Reserved
sub_command -- Sub command
)
local data = "\0\0\0" .. (function_parameters or '')
.. (function_data or '')
-- Send the transaction request
stdnse.debug2("SMB: Sending SMB_COM_TRANSACTION2")
local result, err = smb.smb_send(smbstate, header, parameters, data, overrides)
if(result == false) then
return false, err
end end
-- Call NetShareGetInfo return true
end
local status, netsharegetinfo_result = srvsvc_netsharegetinfo(smbstate, host.ip, name, 2) function receive_transaction2(smbstate)
stdnse.debug2("NetShareGetInfo status:%s result:%s", status, netsharegetinfo_result)
if(status == false) then
if(string.find(netsharegetinfo_result, "NT_STATUS_WERR_ACCESS_DENIED")) then
stdnse.debug2("Calling NetShareGetInfo with information level 1")
status, netsharegetinfo_result = srvsvc_netsharegetinfo(smbstate, host.ip, name, 1)
if status then
smb.stop(smbstate)
return true, netsharegetinfo_result
end
end
smb.stop(smbstate)
return false, netsharegetinfo_result
end
smb.stop(smbstate) -- Read the result
local status, header, parameters, data = smb.smb_read(smbstate)
return true, netsharegetinfo_result
end
---Call the MSRPC function <code>netsharegetinfo</code> on the remote system. This function retrieves extra information about a share
-- on the system.
--
--@param smbstate The SMB state table
--@param server The IP or Hostname of the server (seems to be ignored but it's a good idea to have it)
--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values, the most
-- useful one being 'shares', which is a list of the system's shares.
function srvsvc_netsharegetinfo(smbstate, server, share, level)
stdnse.debug2("Calling NetShareGetInfo(%s, %s, %d)", server, share, level)
--NetGetShareInfo seems to reject FQPN and reads the server value from the request
--If any function called this function using a FQPN, this should take care of it.
local _, _, sharename = string.find(share, "\\\\.*\\(.*)")
if sharename then
share = sharename
end
-- [in] [string,charset(UTF16)] uint16 *server_unc,
local arguments = msrpctypes.marshall_unicode_ptr("\\\\" .. server, true)
-- [in] [string,charset(UTF16)] uint16 share_name[],
.. msrpctypes.marshall_unicode(share, true)
-- [in] uint32 level,
.. msrpctypes.marshall_int32(level)
-- [out,switch_is(level)] srvsvc_NetShareInfo info
-- Do the call
local status, result = msrpc.call_function(smbstate, smb.command_codes.SMB_COM_QUERY_INFORMATION_DISK, arguments)
if(status ~= true) then if(status ~= true) then
return false, result return false, header
end end
stdnse.debug3("MSRPC: NetShareGetInfo() returned successfully") -- Check if it worked
local pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
-- Make arguments easier to use if(header1 == nil or mid == nil) then
arguments = result['arguments'] return false, "SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [29]"
local pos = 1 end
if(status ~= 0) then
-- [in] [string,charset(UTF16)] uint16 *server_unc, if(smb.status_names[status] == nil) then
-- [in] [string,charset(UTF16)] uint16 share_name[], return false, string.format("Unknown SMB error: 0x%08x\n", status)
-- [in] uint32 level, else
-- [out,switch_is(level)] srvsvc_NetShareInfo info return false, smb.status_names[status]
pos, result['info'] = msrpctypes.unmarshall_srvsvc_NetShareInfo(arguments, pos) end
if(pos == nil) then
return false, "unmarshall_srvsvc_NetShareInfo() returned an error"
end end
-- The return value -- Parse the parameters
pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos) local pos, total_word_count, total_data_count, reserved1, parameter_count, parameter_offset, parameter_displacement, data_count, data_offset, data_displacement, setup_count, reserved2 = bin.unpack("<SSSSSSSSSCC", parameters)
if(result['return'] == nil) then if(total_word_count == nil or reserved2 == nil) then
return false, "Read off the end of the packet (srvsvc.netsharegetinfo)" return false, "SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [30]"
end
if(result['return'] ~= 0) then
return false, smb.get_status_name(result['return']) .. " (srvsvc.netsharegetinfo)"
end end
return true, result -- Convert the parameter/data offsets into something more useful (the offset into the data section)
end -- - 0x20 for the header, - 0x01 for the length.
parameter_offset = parameter_offset - 0x20 - 0x01 - #parameters - 0x02;
-- - 0x20 for the header, - 0x01 for parameter length, the parameter length, and - 0x02 for the data length.
data_offset = data_offset - 0x20 - 0x01 - #parameters - 0x02;
-- I'm not sure I entirely understand why the '+1' is here, but I think it has to do with the string starting at '1' and not '0'.
local function_parameters = string.sub(data, parameter_offset + 1, parameter_offset + parameter_count)
local function_data = string.sub(data, data_offset + 1, data_offset + data_count)
local response = {}
response['parameters'] = function_parameters
response['data'] = function_data
return true, response
end

2
scan_all
View File

@ -9,7 +9,7 @@ for config in configs/*.yaml
do do
site="$(basename ${config/.yaml/})" site="$(basename ${config/.yaml/})"
echo "Scan $site" echo "Scan $site"
./scan "$site" & ./scan "$site"
done done
popd > /dev/null popd > /dev/null