diff --git a/CHANGELOG b/CHANGELOG index bab6ea0b6a..9417799895 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Add http-ntlm-info script for getting server information from Web + servers that require NTLM authentication. [Justin Cacak] + o Added TCP support to dns.lua. [John Bond] o Added safe fd_set operations. This makes nmap fail gracefully instead of diff --git a/scripts/http-ntlm-info.nse b/scripts/http-ntlm-info.nse new file mode 100644 index 0000000000..ab0b51b0bd --- /dev/null +++ b/scripts/http-ntlm-info.nse @@ -0,0 +1,148 @@ +local bin = require "bin" +local http = require "http" +local shortport = require "shortport" +local stdnse = require "stdnse" +local base64 = require "base64" +local smbauth = require "smbauth" +local string = require "string" +local table = require "table" + + +description = [[ +This script enumerates information from remote HTTP services with NTLM +authentication enabled. + +By sending a HTTP NTLM authentication request with null domain and user +credentials (passed in the 'Authorization' header), the remote service will +respond with a NTLMSSP message (encoded within the ‘WWW-Authenticate’ header) +and disclose information to include NetBIOS, DNS, and OS build version if +available. +]] + + +--- +-- @usage +-- nmap -p 80 --script http-ntlm-info --script-args http-ntlm-info.root=/root/ +-- +-- @args http-ntlm-info.root The URI path to request +-- +-- @output +-- 80/tcp open http +-- | http-ntlm-info: +-- | Target_Name: ACTIVEWEB +-- | NetBIOS_Domain_Name: ACTIVEWEB +-- | NetBIOS_Computer_Name: WEB-TEST2 +-- | DNS_Domain_Name: somedomain.com +-- | DNS_Computer_Name: web-test2.somedomain.com +-- | DNS_Tree_Name: somedomain.com +-- |_ OS_Version: 6.1 (Build 7601) +-- +--@xmloutput +-- TELME +-- TELME +-- GT4 +-- telme.somedomain.com +-- gt4.telme.somedomain.com +-- 5.0 (Build 2195) + + +author = "Justin Cacak" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"default", "discovery", "safe"} + + +portrule = shortport.http + +-- TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== +-- Ref: http://davenport.sourceforge.net/ntlm.html#theType1Message +local auth_blob = base64.enc( + "NTLMSSP\x00" .. + "\x01\x00\x00\x00" .. -- NTLM Type 1 message + bin.pack(" 0 then + output.NetBIOS_Domain_Name = ntlm_decoded.netbios_domain_name + end + + if ntlm_decoded.netbios_computer_name and #ntlm_decoded.netbios_computer_name > 0 then + output.NetBIOS_Computer_Name = ntlm_decoded.netbios_computer_name + end + + if ntlm_decoded.dns_domain_name and #ntlm_decoded.dns_domain_name > 0 then + output.DNS_Domain_Name = ntlm_decoded.dns_domain_name + end + + if ntlm_decoded.fqdn and #ntlm_decoded.fqdn > 0 then + output.DNS_Computer_Name = ntlm_decoded.fqdn + end + + if ntlm_decoded.dns_forest_name and #ntlm_decoded.dns_forest_name > 0 then + output.DNS_Tree_Name = ntlm_decoded.dns_forest_name + end + + -- Query product build version if available (typically OS version under Windows) + -- Use this method as certain open source HTTP NTLM implementations do not set correct flags + -- Compute offset for Target Name + local target_offset = data:sub(17, 21) + local pos, target_offset_dec = bin.unpack(" 48 and target_offset_dec ~= 48 then + -- Get product major version + local major_version = data:sub(49, 50) + local pos, major_version_dec = bin.unpack("C", major_version) + + -- Get product minor version + local minor_version = data:sub(50, 51) + local pos, minor_version_dec = bin.unpack("C", minor_version) + + -- Get product build version + local build = data:sub(51, 53) + local pos, build_dec = bin.unpack("