Re: [NSE] RPC library new version and scripts

[David Fifield <david () bamsoftware com>]

On Sun, Mar 14, 2010 at 12:12:55PM +0100, Patrik Karlsson wrote:
> I just wrapped up the last few changes to the RPC library, which now
> looks very different than the last version.
> The library should now support communication with the mount and nfs
> programs using versions 1 through 3.
> Given the new OO-design I've tried to explain how to use the library
> (ie. what classes do). This documentation can be found at the top of
> rpc.lua. I've also tried to document as much of the known limitations
> as possible along with some explanations and sample code.
>
> I've renamed the scripts according to David's suggestion and added two more:
> - rpcinfo2.nse - produces the same output as rpcinfo.nse but using the
> rpc library instead
> - nfs-acls.nse - extract the owner, group and directory (acl) mode, like this:
>
> PORT    STATE SERVICE REASON
> 111/tcp open  rpcbind syn-ack
> | nfs-acls:  
> |   /home/patrik/tmp
> |     uid: 1000; gid: 1000; mode: drwsr-Sr-x (6745)
> |   /home/patrik
> |     uid: 1000; gid: 1000; mode: drwxr-xr-x (755)
> |   /tmp
> |_    uid: 0; gid: 0; mode: drwxrwxrwx (1777)
>
> As shown by the above output, the scripts are now using port rules
> instead of host rules. I don't know if this was a good change or not.
> Even though it makes the scripts simpler, the output will appear as if
> it was retrieved over port 111 (rpc), which it isn't.

The only scripts that work for me are nfs-showmount and rpcinfo2, and
those only work over TCP. The other scripts, and all script using UDP,
produce no output.

rpcinfo2 looks good except for an alignment problem in the third column.

./nmap --datadir . --script=rpcinfo,rpcinfo2 192.168.0.190 -d2 -Pn -p 111 -sSU
PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
| rpcinfo:
| 100000  2          111/udp  rpcbind
| 100005  1,3        697/udp  mountd
| 100024  1          782/udp  status
| 100011  1,2        860/udp  rquotad
| 100021  0,1,3,4    922/udp  nlockmgr
| 100003  2,3       2049/udp  nfs
| 100000  2          111/tcp  rpcbind
| 100021  0,1,3,4   1021/tcp  nlockmgr
| 100024  1         1022/tcp  status
| 100005  1,3       1023/tcp  mountd
|_100003  2,3       2049/tcp  nfs
| rpcinfo2:
|   100000  2        111/tcp  rpcbind
|   100000  2        111/udp  rpcbind
|   100003  2,3     2049/tcp  nfs
|   100003  2,3     2049/udp  nfs
|   100005  1,3      697/udp  mountd
|   100005  1,3     1023/tcp  mountd
|   100011  1,2      860/udp  rquotad
|   100021  0,1,3,4   922/udp  nlockmgr
|   100021  0,1,3,4  1021/tcp  nlockmgr
|   100024  1        782/udp  status
|_  100024  1       1022/tcp  status
111/udp open  rpcbind udp-response

Here is the output of nfs-showmount.

./nmap --datadir . --script=nfs-showmount 192.168.0.190 -d2 -Pn -p 111 -sSU
PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
| nfs-showmount:
|_  /Users/david
111/udp open  rpcbind udp-response

nfs-dirlist, nfs-statfs, and nfs-acls all look like this.

PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
111/udp open  rpcbind udp-response

These three scripts are getting partial results, but they are being
thrown away. Instead of returning nil from action on any error, it would
be better to insert an error message in the output. If I add error
reporting to nfs-statfs, I get this output:

PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
| nfs-statfs:
|   /Users/david
|_    ERROR: rpc.Helper.ExportStats: mount failed

I'm going to attach packet captures of nfs-showmount and nfs-statfs with
TCP and UDP. What else can I do to help?

David Fifield

Attachment: nfs-showmount-tcp.pcap
Description:

Attachment: nfs-showmount-udp.pcap
Description:

Attachment: nfs-statfs-tcp.pcap
Description:

Attachment: nfs-statfs-udp.pcap
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/