Nmap Development mailing list archives

Re: [NSE] new scripts and libraries: domino, informix, oracle, giop

From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 20 Aug 2010 01:14:56 +0200


On 19 aug 2010, at 01.33, David Fifield wrote:

On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:

o IBM Informix Dynamic Server
- A library that supports native communication with IBM Informix Dynamic Server (informix.lua)
- So far it supports authentication and queries against the DB
- The following scripts make use of it:
  x informix-brute - uses the brute framework to perform password guessing
  x informix-tables- queries the database for a list of tables for each db
  x informix-query - makes it possible to query the database using a custom query


In informix-brute I noticed some copy-paste errors: "Disconnects and
terminates the Oracle TNS communication," "makes sure that the Oracle
instance is correct."


I've taken care of them.


I know you are aware of the unknown data like this:

      local unknown = [[
              013c0000006400650000003d0006494545454d00006c73716c65786563000000
              00000006392e32383000000c524453235230303030303000000573716c690000
              00013300000000000000000001
      ]]
      local unknown2 = [[
              6f6c0000000000000000003d746c697463700000000000010068000b
              00000003
      ]]

I'm okay with that being in the library, but please add a comment saying
where it comes from (if a packet capture, what command or procedure
needs to be done to recreate it). Otherwise it's hard for anybody but
you to maintain it. What you did in tns.lua is good.

Ok, I've added that.


Is there are reason that informix-brute has a wider portrule than the
other scripts?

No, I've widened the other rules as well.


portrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, "informix", "tcp", "open")
portrule = shortport.port_or_service(9088, 'informix')

Please commit these informix scripts.

Done, they're commited as r19896

o IBM Lotus Domino
- A minimalistic Notes RPC library (nrpc.lua)
- The domino-enum-users.nse makes use of this library to:
  x guess valid user names
  x download the user.id file for each user (without authentication) as described in (CVE-2006-5835). This still 
works in version 8.5
- There are also a bunch of other scripts that target domino:
  x domcon-brute - uses the brute library to perform password guessing against the Lotus Domino Remote Console
  x domcon-cmd - runs custom commands on the Lotus Domino Remote Console
  x domino-enum-passwords - runs against the Domino web interface and attempts to:
     1. Enumerate the Internet password for each user (it's available to every authenticated user per default)
     2. Download the user.id attached to the person document for each user
- While working the domcon scripts I also wrote the library javaser.lua that performs basic java de-serialization of 
a byte stream.
 Unfortunately I found a way around it and I'm no longer using it, but it would make a good start for someone 
looking into communicating with a service that does java serialization.


You had a good idea here of just showing what ID files are available by
default, and providing a script argument to save them to a file.

I don't know if this is the real format, but I couldn't get the sample
hashes to load in john.


I'm guessing your missing the jumbo patch from here:
http://www.openwall.com/john/contrib/john-1.7.6-jumbo-6.diff.gz


Jim Brass:(GYvlbOz2idzni5peJUdD)
Warrick Brown:(GZghNctqAnJgyklUl2ml)

These look good and you can commit them.


They've been commited as r19899.

o Oracle
- A TNS library supporting authentication against Oracle 10g and 11g
- The following script make use of it:
  x oracle-enum-users - uses a (patched) vulnerability to determine valid user names without authentication
  x oracle-brute - performs password guessing against Oracle 10g and 11g using the brute framework


These are good too.


Commited as r19900.

o GIOP
- A GIOP library that supports a few basic operations, get, _is_a and list (giop.lua)
- The following scripts make use of it:
  x giop-info - Queries the CORBA naming server for a list of objects


I have to say, I didn't know what GIOP was before, and after reading
about it, I still don't think I know what it is. What software does this
run against? You can commit it.


It runs against the CORBA naming server. I followed this example to test it out:
http://download-llnw.oracle.com/javase/1.4.2/docs/guide/idl/jidlExample.html

It's in as r19901.


David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] new scripts and libraries: http, (continued)
- - - Message not available
    - Re: [NSE] new scripts and libraries: http DePriest, Jason R. (Sep 06)
    - Re: [NSE] new scripts and libraries: http David Fifield (Sep 06)
- Re: [NSE] new scripts and libraries: svn David Fifield (Aug 18)
  - Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
    - Re: [NSE] new scripts and libraries: svn David Fifield (Aug 18)
    - Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
    - Re: [NSE] new scripts and libraries: svn Patrick Donnelly (Aug 19)
    - Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 19)
    - Re: [NSE] new scripts and libraries: svn David Fifield (Aug 19)
- Re: [NSE] new scripts and libraries: domino, informix, oracle, giop David Fifield (Aug 18)
  - Re: [NSE] new scripts and libraries: domino, informix, oracle, giop Patrik Karlsson (Aug 19)
    - Re: [NSE] new scripts and libraries: domino, informix, oracle, giop David Fifield (Aug 20)