Script http-server-header.nse is not handling well situations where the Server header is returned but empty. Specifically, pattern...

"\n[Ss][Ee][Rr][Vv][Ee][Rr]:%s*(.-)\r?\n"

...used for parsing the header assumes that class %s does not include CR or LF. When the server header is returned empty then %s* will slurp the CR/LF sequence and the subsequent capture group will get populated with the next full header (as opposed to an empty string).

The patch below replaces the problematic class with LWS as defined in RFC 822. This will cause the script to return the empty string.

One issue to note though is that the visual effect is an empty line in the formatted output:

443/tcp open  ssl/https syn-ack ttl 128
| http-server-header: 
|   Server: 
|_    

It could be argued that we should decouple the formatted output from the structured result data and replace it with something more readable like "(not listed)" or "(empty)":

443/tcp open  ssl/https syn-ack ttl 128
| http-server-header: 
|   Server: 
|_    (empty)

Patch against r33886 follows:

--- a/scripts/http-server-header.nse
+++ b/scripts/http-server-header.nse
@@ -101,7 +101,7 @@
     if string.match(result, "^HTTP/1.[01] %d%d%d") then
       port.version.service = "http"

-      local http_server = string.match(result, "\n[Ss][Ee][Rr][Vv][Ee][Rr]:%s*(.-)\r?\n")
+      local http_server = string.match(result, "\n[Ss][Ee][Rr][Vv][Ee][Rr]:[ \t]*(.-)\r?\n")

       -- Avoid setting version info if -sV scan already got a match
       if port.version.product == nil and (port.version.name_confidence or 0) <= 3 then

Nmap compiled on Ubuntu 14.04 with the shared instance of libpcap is reporting lost packets, which in turn significantly impacts performance and quality of results. However, simultaneously running Wireshark on the same host does see them. The same issue is not experienced when compiled with the included instance of libpcap.

Details are available at http://seclists.org/nmap-dev/2014/q2/538

Possibly related:
http://seclists.org/nmap-dev/2014/q2/548
http://seclists.org/nmap-dev/2014/q2/341

Script telnet-brute.nse has not been working correctly against some targets, such as Cisco IOS, since it has been converted from PCRE to LPEG.

Details are available at http://seclists.org/nmap-dev/2014/q3/64

Currently, the only feedback a user has (beyond full stack traces for every running script when a key is pressed at -d2) is a timing line like this:

NSE Timing: About 96.08% done; ETC: 20:46 (0:00:50 remaining)

It seems like this could be enhanced at higher debug levels with information about

• number of running scripts
• Number of scripts in each status (waiting, running, etc.)
• Names of scripts once they drop below a certain number (5?)
• Maybe even a backtrace of 1 or 2 remaining scripts at a high debug level.

Definitely affects SOCK_DGRAM (--udp), but may also have impact on SOCK_STREAM (TCP-style, the default). See http://seclists.org/nmap-dev/2014/q4/343 and #23

Applications/Xcode.app/Contents/Developer/usr/bin/make nmap build-zenmap build-ndiff build-nping
g++ -c -I./liblinear -I./liblua -I./libdnet-stripped/include -I./libpcre -I./nbase -I./nsock/include -DHAVE_CONFIG_H -DNMAP_NAME="Nmap" -DNMAP_URL="http://nmap.org\" -DNMAP_PLATFORM="x86_64-apple-darwin13.2.0" -DNMAPDATADIR="/usr/local/share/nmap" -D_FORTIFY_SOURCE=2 -no-cpp-precomp -g -O2 -Wall -fno-strict-aliasing nmap_tty.cc -o nmap_tty.o
nmap_tty.cc:234:9: error: use of undeclared identifier 'sigfillset'
sigfillset(&sa.sa_mask); /* block all signals during handler exe...
^
nmap_tty.cc:236:9: error: no matching constructor for initialization of
'sigaction'
sigaction(signo, &sa, NULL);
^ ~~~~~~~~~~~~~~~~
/usr/include/sys/signal.h:283:8: note: candidate constructor (the implicit
default constructor) not viable: requires 0 arguments, but 3 were provided
struct sigaction {
^
/usr/include/sys/signal.h:283:8: note: candidate constructor (the implicit copy
constructor) not viable: requires 1 argument, but 3 were provided
nmap_tty.cc:248:9: error: use of undeclared identifier 'sigemptyset'
sigemptyset(&set);
^
nmap_tty.cc:249:9: error: use of undeclared identifier 'sigaddset'
sigaddset(&set, signo);
^
nmap_tty.cc:250:9: error: use of undeclared identifier 'sigprocmask'
sigprocmask(SIG_UNBLOCK, &set, NULL);
^
nmap_tty.cc:251:9: error: use of undeclared identifier 'raise'
raise(signo); /* This should kill us /
^
6 errors generated.
make[1]: ** [nmap_tty.o] Error 1
make: *** [all] Error 2

This is tentative, depending on how testing and feedback go. Feel free to leave feedback on this idea!

If you are an Nmap developer, please leave a note below so we know who already has a Github account.

A script to detect the shellshock vulnerabilities in web applications was committed in rev 33916. However, there is room for improvements (although i'm not sure how urgent they are):

-The current script uses / as the default URI but the spidering library could be integrated to attempt to find all files inside /cgi-bin/ directories.
-A list of popular cgi-bin paths could be added. This also generates more traffic and is useless against the majority of non vulnerable hosts.

Nmap-dev thread:
http://seclists.org/nmap-dev/2014/q4/291

RDP-enum-encrytion is throwing an error when running

NSE: rdp-enum-encryption against 172.x.x.x:3389 threw an error!
/usr/bin/../share/nmap/scripts/rdp-enum-encryption.nse:72: bad argument #2 to 'unpack' (string expected, got nil)
stack traceback:
    [C]: in function 'unpack'
    /usr/bin/../share/nmap/scripts/rdp-enum-encryption.nse:72: in function 'enum_protocols'
    /usr/bin/../share/nmap/scripts/rdp-enum-encryption.nse:150: in function 
    (...tail calls...)

Running Nmap version 6.40

Can someone explain why this is the default behavior? It seems to cause a lot of things to be revealed and should be easily detectable by an IDS. I don't think there is any legit reason for a remote machine to be sending the same data to every port. Sorry, this is probably not the place for this discussion, this is my first time using github.

About 6600 of the 9600+ match lines do not have a cpe:/ entry. This should be supported at least for the most common services and those lines which have OS information. 291 of the 2172 match lines which have o/ OS info are missing CPE info.

An script run on a single host throws this error repeatedly in in a debug=1

NSE: auth-owners against 10.x.xxx.xx:5356 threw an error!
ERROR
stack traceback:
[C]: in function 'try'
/usr/bin/../share/nmap/scripts/auth-owners.nse:57: in function </usr/bin/../share/nmap/scripts/auth-owners.nse:44>
(...tail calls...)

See http://seclists.org/nmap-dev/2014/q4/88

I am proposing to add service "https-alt" to shortport.http(). This change will also make shortport.http() more consistent with shortport.ssl(), which already recognizes service "https-alt" and port 8443.

--- a/nselib/shortport.lua       2014-12-29 11:50:09.000000000 -0700
+++ b/nselib/shortport.lua       2015-02-09 18:35:37.261037500 -0700
@@ -162,12 +162,12 @@
 Litespeed webserver default ports: 8088 and 7080
 --]]
 LIKELY_HTTP_PORTS = {
-  80, 443, 631, 7080, 8080, 8088, 5800, 3872, 8180, 8000
+  80, 443, 631, 7080, 8080, 8443, 8088, 5800, 3872, 8180, 8000
 }

 LIKELY_HTTP_SERVICES = {
-  "http", "https", "ipp", "http-alt", "vnc-http", "oem-agent", "soap",
-  "http-proxy",
+  "http", "https", "ipp", "http-alt", "https-alt", "vnc-http", "oem-agent",
+  "soap", "http-proxy",
 }

 ---

We have lots of resources for new contributors, but they are all over the place. We should consolidate information and make it easy to find, especially from the front page of Github (i.e. the README).

What we have (not exhaustive list):

• HACKING file
• Code Standards wiki page and other wiki pages
• Bug reporting procecure

What we could add:

• A README or README.md file in the root of the repo, which would become the "front page" of sorts for the Github repo
• A CONTRIBUTING.md file in the root of the repo, which Github will link on the "new issue" page.

Last taken 2014-09-23.

We should document this shiny new issue tracker in the Nmap book and man page, e.g.:

http://nmap.org/book/man-bugs.html

If it's not more than a page or so, we can probably just put it all there. But if there's more that warrants documentation in helping users use this properly, we should probably put it into Ch1 or 2 and then just include a reference in this man page and a very short summary.

For stuff only needed by admins of the issue tracker (tagging, etc.) we should probably create a secwiki page for best practices, tag meanings, etc.

Need a AAAA record for svn.nmap.org, and to correct our Apache config to include our IPv6 address in the VirtualHost config section.

Submission from @d33tah

https://gist.github.com/d33tah/b902eb4e10c1e2b8e095

I am regularly observing incorrect "tcpwrapped" results where the targeted service is simply killing the null probe connection before nmap itself does. (Most recently I have noticed it on ArubaOS Management WebUI, which is HTTPS-based and it terminates the connection after 5 seconds.)

Looking for a solution, I came across a year-old post that pinpoints the relevant nmap code and proposes an enhancement but the attached patch seems to be based on incorrect understanding of the nmap data structures.

The patch below follows the same enhancement logic (a service is considered "tcpwrapped" only if the connection is closed quickly) but the implementation is different than the original patch. In a nut shell:

1. Defines TCPWRAPPED_TIMEOUT=2000. Connections closed after this timeout expires are not considered "tcpwrapped".
2. Implements new method ServiceNFO::probe_timemsused(), which returns how long the probe connection lasted. The method is a logical complement of existing sibling probe_timemsleft(). This old method has been reimplemented as well to avoid code duplication.
3. Adds check probe_timemsused() < TCPWRAPPED_TIMEOUT in two locations.

While the patch seems working fine for me I have to admit that I am not very familiar with this area of nmap internals so the patch might not be up to snuff. I would very much appreciate feedback from more versed developers.

--- a/service_scan.cc
+++ b/service_scan.cc
@@ -218,6 +218,9 @@
   // when SSL is detected -- we redo all probes through SSL.  If freeFP, any
   // service fingerprint is freed too.
   void resetProbes(bool freefp);
+  // Number of milliseconds used so far to complete the present probe.  Timeval
+  // can omitted, it is just there as an optimization in case you have it handy.
+  int probe_timemsused(const ServiceProbe *probe, const struct timeval *now = NULL);
   // Number of milliseconds left to complete the present probe, or 0 if
   // the probe is already expired.  Timeval can omitted, it is just there
   // as an optimization in case you have it handy.
@@ -1816,9 +1819,8 @@
   probe_state = PROBESTATE_INITIAL;
 }

-
-int ServiceNFO::probe_timemsleft(const ServiceProbe *probe, const struct timeval *now) {
-  int timeused, timeleft;
+int ServiceNFO::probe_timemsused(const ServiceProbe *probe, const struct timeval *now) {
+  int timeused;

   if (now)
     timeused = TIMEVAL_MSEC_SUBTRACT(*now, currentprobe_exec_time);
@@ -1832,7 +1834,16 @@
   // probe == currentProbe(). Check that this remains the case.
   assert(probe == currentProbe());

-  timeleft = probe->totalwaitms - timeused;
+  return timeused;
+}
+
+int ServiceNFO::probe_timemsleft(const ServiceProbe *probe, const struct timeval *now) {
+
+  // Historically this function was always called with the assumption that
+  // probe == currentProbe(). Check that this remains the case.
+  assert(probe == currentProbe());
+
+  int timeleft = probe->totalwaitms - probe_timemsused(probe, now);
   return (timeleft < 0)? 0 : timeleft;
 }

@@ -2480,7 +2491,7 @@
     if (readstrlen > 0)
       svc->addToServiceFingerprint(svc->currentProbe()->getName(), readstr,
                                    readstrlen);
-    if (probe->isNullProbe() && readstrlen == 0) {
+    if (probe->isNullProbe() && readstrlen == 0 && svc->probe_timemsused(probe) < TCPWRAPPED_TIMEOUT) {
       // TODO:  Perhaps should do further verification before making this assumption
       end_svcprobe(nsp, PROBESTATE_FINISHED_TCPWRAPPED, SG, svc, nsi);
     } else {
@@ -2498,7 +2509,7 @@
                        // BSD sometimes gives it
     case ECONNABORTED:
       // Jerk hung up on us.  Probably didn't like our probe.  We treat it as with EOF above.
-      if (probe->isNullProbe()) {
+      if (probe->isNullProbe() && svc->probe_timemsused(probe) < TCPWRAPPED_TIMEOUT) {
         // TODO:  Perhaps should do further verification before making this assumption
         end_svcprobe(nsp, PROBESTATE_FINISHED_TCPWRAPPED, SG, svc, nsi);
       } else {
--- a/service_scan.h
+++ b/service_scan.h
@@ -146,6 +146,7 @@
 #define SERVICEMATCH_REGEX 1
 // #define SERVICEMATCH_STATIC 2 -- no longer supported

+#define TCPWRAPPED_TIMEOUT 2000   // connections closed after this timeout are not considered "tcpwrapped"
 /**********************  STRUCTURES  ***********************************/

 // This is returned when we find a match

We've got thousands of new version detection submissions to integrate before the next big release.

I've downloaded the ssl-poodle script into my scripts folder however when I try to use it I get this error.

Running a pretty clean CentOS 6.5 install. I only installed it last night. Then did yum install nmap.

[root@localhost scripts]# nmap -sV --version-light --script ssl-poodle -p 443 twitter.com

Starting Nmap 5.51 ( http://nmap.org ) at 2014-10-28 14:46 UTC
NSE: failed to initialize the script engine:
/usr/share/nmap/nse_main.lua:384: ./ssl-poodle.nse:3: module 'sslcert' not found:
    no field package.preload['sslcert']
    no file '/usr/share/nmap/nselib/sslcert.lua'
    no file './sslcert.lua'
    no file '/usr/share/lua/5.1/sslcert.lua'
    no file '/usr/share/lua/5.1/sslcert/init.lua'
    no file '/usr/lib64/lua/5.1/sslcert.lua'
    no file '/usr/lib64/lua/5.1/sslcert/init.lua'
    no file './sslcert.so'
    no file '/usr/lib64/lua/5.1/sslcert.so'
    no file '/usr/lib64/lua/5.1/loadall.so'
stack traceback:
    [C]: in function 'assert'
    /usr/share/nmap/nse_main.lua:384: in function 'new'
    /usr/share/nmap/nse_main.lua:578: in function 'get_chosen_scripts'
    /usr/share/nmap/nse_main.lua:1006: in main chunk
    [C]: ?

QUITTING!

Last taken 2014-06-10

In scan_engine.cc, the ideal parallelism for service scan is set based on -T timing template and the max and min parallelism. Unfortunately, this may be lower or higher than the network can support, so it would be better to be able to use timing info from the port scan phase to influence this number.

Here are some progressive improvements that may be able to be made:

1. Choose desired_par based on port scan timing results.
2. Tune desired_par empirically to accurately reflect what the network can handle: port scan's idea of parallelism is number of packets in transit, but service scan's is number of connections.
3. Adjust timeouts and parallelism dynamically during the scan based on timed-out connections
4. Introduce per-host parallelism to account for slow targets without slowing down the entire scan.

Maybe we can take clues from scan_engine_connect and @Deetah's Nsock-based port scanning GSOC 2014 project to see how to do timing with our Nsock-based service scan.

This is a known old bug with Proxychains-NG, which I am entering into our issues tracker to make it more searchable. Here is one of the original reports: http://seclists.org/nmap-dev/2014/q4/54

Example output:

Starting Nmap 6.41SVN ( http://nmap.org ) at 2013-09-22 00:31 AST

|DNS-request| scame.nmap.org
|S-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| scame.nmap.org is 173.255.243.189

173.255.243.189/0 looks like an IPv6 target specification -- you have
to use the -6 option.
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.56 seconds

In my personal usage, a very useful option of the traditional netcat is the zero-byte connection (-z) : this is intended to just test the connectivity to a remote port, not sending any data. Unfortunately, this is not yet implemented into your version of netcat which apparently is the only one distributed by some Linux distributions (i.e. RedHat).

Would it be possible to add this option please ?
Thank you

liblua builds fine with clang, but setting CC=clang will be overwritten in the liblua/Makefile

Index: liblua/Makefile

--- liblua/Makefile (revision 33903)
+++ liblua/Makefile (working copy)
@@ -6,7 +6,7 @@

Your platform. See PLATS for possible values.

PLAT= none

-CC= gcc
+CC?= gcc
CFLAGS= -O2 -Wall -DLUA_COMPAT_ALL $(SYSCFLAGS) $(MYCFLAGS)
LDFLAGS= $(SYSLDFLAGS) $(MYLDFLAGS)
LIBS= -lm $(SYSLIBS) $(MYLIBS)

The goal is to have the next version of the Nmap installer built on VS2013. It builds just fine, but still need to test the installer build process and make sure the installer works all the way back to Windows Vista -- Windows XP will not be supported, though it may work anyway.

Gtyy

What does everybody think about merging the NSE scripts http-wordpress-plugins and http-wordpress-themes into a single script to avoid code repetition?

Nmap-dev thread:
http://seclists.org/nmap-dev/2014/q4/229

--ssl-ciphers added in 2353d5a (r33862) is undocumented. Also check that the others are documented.

http://seclists.org/nmap-dev/2015/q1/122

This shouldn't happen. We either need to eliminate this dependency or bundle the resources as needed.

Currently, Ncat uses ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH as its ciphersuite list, which may not meet the security needs of some users. We should offer a command-line argument to allow users to provide a different spec like --ssl-ciphers 'HIGH'

Our system doesn't seem to be properly updating the nmap.exe file version (Windows property) when we do a new build. I think this is controled by mswin32/nmap.rc which is created based on nmap.rc.in which contains:

FILEVERSION @@COMMAVERSION@@

And COMMAVERSION is set to $(COMMA_VERSION) in the mswin32/Makefile

and COMMA_VERSION is also set in mswin32/Makefile using a shell command to modify $(NMAP_NUM_VERSION)

and $NMAP_NUM_VERSION is defined in nmap.h.

I'm not sure what part of this chain is failing, but apparently something is as described in this message:

http://seclists.org/nmap-dev/2015/q1/42

For more details, see http://seclists.org/nmap-dev/2015/q1/28

The NORETURN macro, as defined in commit 85bb2d3 from November 17, seems to be disliked by VS 2010. Specifically, the double parentheses in __declspec((noreturn)) are causing a syntax error whenever the macro is used. Is anybody else experiencing this?

Reducing the parentheses to a single pair in the three different include files where the same macro is defined seems to resolve the issue. (Note that this is also the form that was originally discussed in http://seclists.org/nmap-dev/2014/q4/204 )

Patch against r33886 follows:

--- nbase/nbase.h.orig  2014-12-29 11:50:01.000000000 -0700
+++ nbase/nbase.h   2014-12-31 13:19:04.622431600 -0700
@@ -374,7 +374,7 @@
 #if defined(__GNUC__)
 #define NORETURN __attribute__((noreturn))
 #elif defined(_MSC_VER)
-#define NORETURN __declspec((noreturn))
+#define NORETURN __declspec(noreturn)
 #else
 #define NORETURN
 #endif
--- libnetutil/netutil.h.orig   2014-12-29 11:49:37.000000000 -0700
+++ libnetutil/netutil.h    2014-12-31 13:17:20.102431600 -0700
@@ -165,7 +165,7 @@
 #if defined(__GNUC__)
 #define NORETURN __attribute__((noreturn))
 #elif defined(_MSC_VER)
-#define NORETURN __declspec((noreturn))
+#define NORETURN __declspec(noreturn)
 #else
 #define NORETURN
 #endif
--- nsock/src/error.h.orig  2014-12-29 11:50:00.000000000 -0700
+++ nsock/src/error.h   2014-12-31 13:20:59.287231600 -0700
@@ -77,7 +77,7 @@
 #if defined(__GNUC__)
 #define NORETURN __attribute__((noreturn))
 #elif defined(_MSC_VER)
-#define NORETURN __declspec((noreturn))
+#define NORETURN __declspec(noreturn)
 #else
 #define NORETURN
 #endif

A patch for adding structured XML output to script http-rfi-spider.nse has been submitted.

http://seclists.org/nmap-dev/2014/q3/465

[C]: in function 'error'

C:\Program Files (x86)\Nmap/nselib/strict.lua:80: in function '__index'

nselib/data/mysql-cis.audit:34: in function 'createINstmt'

nselib/data/mysql-cis.audit:115: in function 'file'

C:\Program Files (x86)\Nmap/scripts\mysql-audit.nse:110: in function 'loadAuditRulebase'

C:\Program Files (x86)\Nmap/scripts\mysql-audit.nse:130: in function <C:\Program Files (x86)\Nmap/scripts\mysql-audit.nse:116>

(...tail calls...)

nmap_mass_rdns in nmap_dns.cc has this little disappointment:

  // mass_dns only supports IPv4.
  if (o.mass_dns && o.af() == AF_INET)
    nmap_mass_rdns_core(targets, num_targets);
  else
    nmap_system_rdns_core(targets, num_targets);

I don't see any technical reason why IPv6 couldn't also be supported, which would give a big speed boost to IPv6 scans, especially -sL list scans, which can be a cheap, stealthy way of doing target discovery.

I have noticed that nmap.registry holds two parallel structures for credentials: "creds" and "credentials". The former is abstracted out through the creds library and the latter is used directly by just a few scripts.

Specifically, two scripts (http-brute, and http-form-brute) are populating structure credentials.http, while they also utilize the creds library so they are storing the credentials twice. In the entire script collection only one script (http-domino-enum-passwords) seems to consume the credentials.http structure.

I would like to solicit opinions whether the redundancy serves a particular purpose or whether it is just a leftover. In case of the latter, the attached patch converts the one script to use the creds library and retires the credentials.http structure.

The patch does not touch script backorifice-brute, which populates registry structure credentials.backorifice, although it would be very easy to do so. As far as I can tell none of the scripts consume credentials.backorifice. It looks like script backorifice-info was meant to but it was not implemented.

--- a/scripts/http-brute.nse
+++ b/scripts/http-brute.nse
@@ -16,8 +16,8 @@
 -- nmap --script http-brute -p 80 <host>
 --
 -- This script uses the unpwdb and brute libraries to perform password
--- guessing. Any successful guesses are stored in the nmap registry, under
--- the nmap.registry.credentials.http key for other scripts to use.
+-- guessing. Any successful guesses are stored in the nmap registry, using
+-- the creds library, for other scripts to use.
 --
 -- @output
 -- PORT     STATE SERVICE REASON
@@ -90,13 +90,6 @@
     -- but gave me a number of false positives last time I tried.
     -- We decided to change it to ~= 4xx.
     if ( response.status < 400 or response.status > 499 ) then
-      if ( not( nmap.registry['credentials'] ) ) then
-        nmap.registry['credentials'] = {}
-      end
-      if ( not( nmap.registry.credentials['http'] ) ) then
-        nmap.registry.credentials['http'] = {}
-      end
-      table.insert( nmap.registry.credentials.http, { username = username, password = password } )
       return true, creds.Account:new( username, password, creds.State.VALID)
     end
     return false, brute.Error:new( "Incorrect password" )
--- a/scripts/http-domino-enum-passwords.nse
+++ b/scripts/http-domino-enum-passwords.nse
@@ -1,3 +1,4 @@
+local creds = require "creds"
 local http = require "http"
 local io = require "io"
 local nmap = require "nmap"
@@ -81,10 +82,11 @@
 -- @args domino-enum-passwords.password Password for HTTP auth, if required

 --
--- Version 0.2
+-- Version 0.4
 -- Created 07/30/2010 - v0.1 - created by Patrik Karlsson <[email protected]>
 -- Revised 07/31/2010 - v0.2 - add support for downloading ID files
 -- Revised 11/25/2010 - v0.3 - added support for separating hash-type <[email protected]>
+-- Revised 11/25/2010 - v0.4 - switched to "creds" credential repository, <nnposter>

 author = "Patrik Karlsson"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
@@ -219,42 +221,37 @@
   local vhost= stdnse.get_script_args('domino-enum-passwords.hostname')
   local user = stdnse.get_script_args('domino-enum-passwords.username')
   local pass = stdnse.get_script_args('domino-enum-passwords.password')
-  local creds, pos, pager
+  local pos, pager
   local links, result, hashes,legacyHashes, id_files = {}, {}, {}, {},{}
   local chunk_size = 30
   local max_fetch = tonumber(stdnse.get_script_args('domino-enum-passwords.count')) or 10
   local http_response

-  if ( nmap.registry['credentials'] and nmap.registry['credentials']['http'] ) then
-    creds = nmap.registry['credentials']['http']
-  end
-
   -- authentication required?
   if ( requiresAuth( vhost or host, port, path ) ) then
-    if ( not(user) and not(creds) ) then
-      return "  \n  ERROR: No credentials supplied (see domino-enum-passwords.username and domino-enum-passwords.password)"
-    end
-
     -- A user was provided, attempt to authenticate
     if ( user ) then
       if (not(isValidCredential( vhost or host, port, path, user, pass )) ) then
         return "  \n  ERROR: The provided credentials where invalid"
       end
-    elseif ( creds ) then
-      for _, cred in pairs(creds) do
-        if ( isValidCredential( vhost or host, port, path, cred.username, cred.password ) ) then
-          user = cred.username
-          pass = cred.password
+    else
+      local has_creds = false
+      local c = creds.Credentials:new(creds.ALL_DATA, host, port)
+      for cred in c:getCredentials(creds.State.VALID) do
+        has_creds = true
+        if (isValidCredential(vhost or host, port, path, cred.user, cred.pass)) then
+          user = cred.user
+          pass = cred.pass
           break
         end
       end
+      if not pass then
+        local msg = has_creds and "No valid credentials were found" or "No credentials supplied"
+        return string.format("  \n  ERROR: %s (see domino-enum-passwords.username and domino-enum-passwords.password)", msg)
+      end
     end
   end

-  if ( not(user) and not(pass) ) then
-    return "  \n  ERROR: No valid credentials were found (see domino-enum-passwords.username and domino-enum-passwords.password)"
-  end
-
   path = "/names.nsf/People?OpenView"
   http_response = http.get( vhost or host, port, path, { auth = { username = user, password = pass }, no_cache = true })
   pager = getPager( http_response.body )
--- a/scripts/http-form-brute.nse
+++ b/scripts/http-form-brute.nse
@@ -12,8 +12,8 @@
 Performs brute force password auditing against http form-based authentication.

 This script uses the unpwdb and brute libraries to perform password
-guessing. Any successful guesses are stored in the nmap registry, under
-the nmap.registry.credentials.http key for other scripts to use.
+guessing. Any successful guesses are stored in the nmap registry, using
+the creds library, for other scripts to use.

 The script automatically attempts to discover the form method, action, and
 field names to use in order to perform password guessing. (Use argument
@@ -234,9 +234,6 @@
     if not success then
       return false, brute.Error:new("Incorrect password")
     end
-    nmap.registry['credentials'] = nmap.registry['credentials'] or {}
-    nmap.registry.credentials['http'] = nmap.registry.credentials['http'] or {}
-    table.insert(nmap.registry.credentials.http, {username = username, password = password})
     return true, creds.Account:new(username, password, creds.State.VALID)
   end,

nmap -p 2947 127.0.0.1 --script gpsd-info -d

Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-01 16:18 IST
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0

min-rate: 0, max-rate: 0

NSE: Using Lua 5.2.
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
mass_rdns: Using DNS server 8.8.8.8
mass_rdns: Using DNS server 8.8.4.4
mass_rdns: Using DNS server 127.0.1.1
Initiating SYN Stealth Scan at 16:18
Scanning localhost (127.0.0.1) [1 port]
Packet capture filter (device lo): dst host 127.0.0.1 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 127.0.0.1)))
Discovered open port 2947/tcp on 127.0.0.1
Completed SYN Stealth Scan at 16:18, 0.01s elapsed (1 total ports)
Overall sending rates: 193.16 packets / s, 8499.13 bytes / s.
NSE: Script scanning 127.0.0.1.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting gpsd-info against 127.0.0.1:2947.
Initiating NSE at 16:18
NSE: gpsd-info against 127.0.0.1:2947 threw an error!
/usr/local/bin/../share/nmap/scripts/gpsd-info.nse:82: attempt to index upvalue 'gps' (a boolean value)
stack traceback:
/usr/local/bin/../share/nmap/scripts/gpsd-info.nse:82: in function </usr/local/bin/../share/nmap/scripts/gpsd-info.nse:53>
(...tail calls...)

Completed NSE at 16:18, 0.40s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up, received localhost-response (0.000086s latency).
Scanned at 2012-12-01 16:18:51 IST for 0s
PORT STATE SERVICE REASON
2947/tcp open unknown syn-ack
Final times for host: srtt: 86 rttvar: 5000 to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
Raw packets sent: 1 (44B) | Rcvd: 2 (88B)

From the Nmap TODO file:

Change Ncat so that it does SSL certificate trust checking by
default (even without --ssl-verify) and provides a warning and the key
fingerprint if there is no valid trusted chain or the cert is
expired, etc. The warning should happen (to STDERR) even if -v is
not specified.

This is also in the TODO file, but the design decision is not firm:

We should add a new option to force Ncat to quit if
cert not valid, and --ssl-verify should become an undocumented alias
for that.

# nmap $host
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-19 20:10 CET
sendto in send_ip_packet_sd: sendto(4, packet, 28, 0, 10.6.25.40, 16) => Invalid argument
Offending packet: ICMP [10.6.20.182 > 10.6.25.40 Echo request (type=8/code=0) id=64730 seq=0] IP [ttl=52 id=37096 iplen=7168 ]
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 10.6.25.40, 16) => Invalid argument
Offending packet: TCP 10.6.20.182:56964 > 10.6.25.40:443 S ttl=51 id=39356 iplen=11264  seq=684099691 win=1024 
sendto in send_ip_packet_sd: sendto(4, packet, 40, 0, 10.6.25.40, 16) => Invalid argument
Offending packet: TCP 10.6.20.182:56964 > 10.6.25.40:80 A ttl=54 id=36790 iplen=10240  seq=0 win=1024

It seems the following patch will fix this.

--- libnetutil/netutil.cc.orig  2014-08-16 02:45:47 UTC
+++ libnetutil/netutil.cc
@@ -3605,20 +3605,23 @@ int send_ip_packet_sd(int sd, const stru
      must deal with it here rather than when building the packet,
      because they should be in NBO when I'm sending over raw
      ethernet */
+/* FreeBSD 11 fix (sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, $IP, 16) => Invalid argument)
 #if FREEBSD || BSDI || NETBSD || DEC || MACOSX
   ip->ip_len = ntohs(ip->ip_len);
   ip->ip_off = ntohs(ip->ip_off);
 #endif
-
+*/
   res = Sendto("send_ip_packet_sd", sd, packet, packetlen, 0,
                (struct sockaddr *) &sock,
                (int) sizeof(struct sockaddr_in));
 
   /* Undo the byte order switching. */
+/* FreeBSD 11 fix (sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, $IP, 16) => Invalid argument)
 #if FREEBSD || BSDI || NETBSD || DEC || MACOSX
   ip->ip_len = htons(ip->ip_len);
   ip->ip_off = htons(ip->ip_off);
 #endif
+*/
 
   return res;
 }

It seems to me that the nsock directory (and probably others) is outdated in comparison to the rest of the project. How do you sync it from SVN? I suspect a glitch somewhere, maybe due to the svn:externals there used to be...

Last taken 2014-05-22

Nmap tends to view SSL/TLS as just another communication protocol to be negotiated, so we don't do certificate verification or try to prevent downgrades: we just want to be able to talk to the maximum number of services possible.

Ncat is different: SSL is offered as a security feature. We need to make sure we are making wise decisions here. We are way behind the curve in comparison to web browsers, in terms certificate verification, OCSP stapling, certificate pinning, revocation checking, etc. We have a decent set of supported ciphers (and now allow users to override it), but we also support SSLv3 and don't offer a way to change that.

This task is to perform at least an initial assessment of how Ncat meets or falls short of what is expected of an SSL client (and server, really, because we offer that, too). Assumption can be made that we are working with the latest version of OpenSSL, because that is what we use in our binary packages (Windows and Linux RPM. Not sure of OS X .dmg?)

We have a .htaccess file on sectools but it the redirects listed in there don't seem to be working. I think it might be we just need to make sure .htaccess reading or redirecting is enabled in the web server config for this site or maybe it is the permissions of the .htaccess file itself

Deal with our out-of-date CA root certificate bundle by either using
OS-specific mechanisms and/or updating the latest from Mozilla or
another source. See http://seclists.org/nmap-dev/2014/q4/200

The attached patch adds fingerprints for Zebra Technologies web UI to http-default-accounts-fingerprints.lua. Tested on ZTC GK420d with firmware V61.17.5Z.

PORT     STATE SERVICE    REASON
8080/tcp open  http-proxy syn-ack ttl 120
| http-default-accounts: [Zebra Printer] credentials found -> :1234 Path:/setgen
|_[Zebra Print Server] credentials found -> admin:1234 Path:/server/TCPIPGEN.htm

Patch:

--- a/nselib/data/http-default-accounts-fingerprints.lua
+++ b/nselib/data/http-default-accounts-fingerprints.lua
@@ -366,6 +366,48 @@
 })

 ---
+--Printers
+---
+table.insert(fingerprints, {
+  name = "Zebra Printer",
+  category = "printer",
+  paths = {
+    {path = "/setgen"}
+  },
+  target_check = function (host, port, path, response)
+    return response.body
+           and response.body:lower():find("<h1>zebra technologies<br>", 1, true)
+  end,
+  login_combos = {
+    {username = "", password = "1234"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local form = {}
+    form["0"] = pass
+    return try_http_post_login(host, port, path, "authorize", "incorrect password", form)
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Zebra Print Server",
+  category = "printer",
+  paths = {
+    {path = "/server/TCPIPGEN.htm"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "Network Print Server"
+           and response.header["server"]
+           and response.header["server"] == "Micro-Web"
+  end,
+  login_combos = {
+    {username = "admin", password = "1234"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+---
 --Remote consoles
 ---
 table.insert(fingerprints, {

Hi,
I have added support for built-in patterns like email,phone etc and multiple pattern search (more than one pattern/built-in per search) to http-grep.nse. I have also added unique results as an option. If something falls under one url it won't be shown under any other url if uniqueness(http-grep.unique) is set to true. Apart from uniqueness rest all is the same as here.
http://seclists.org/nmap-dev/2015/q1/166
The script with uniqueness feature is here :
https://github.com/h4ck3rk3y/nmap/blob/master/test_scripts/http-grep.nse
This also eliminates the need of http-email-harvest.
TODO :
add richer patterns
better formatted output

Gyanendra
irc - gyani