Nmap Development mailing list archives
smb NSE scripts with special characters password
From: Carlos Gomes - FCHS <carlos.henrique () unesp br>
Date: Sun, 31 Oct 2021 12:37:57 -0300
Hello Everyone I'm trying to do a nmap scan using some smb nse scripts, mostly with authenticated shares parsing user / password within the script-args. But when the share uses special characters, the scan breaks and some escape characters are needed within the arguments. For example, this scan: nmap -PE -PS80,69,443,3389,8080 -PP -PA21 -PU161,137-139,123 -sS -sU -sV -O -d2 -vv -pT:0-65535,U:137,161 --script nbstat,snmp-interfaces,snmp-processes,smb-enum-shares,smb-os-discovery,smb2-vuln-uptime,broadcast-ping,snmp-sysdescr --open --stats-every 5s --max-retries 1 --script-args smbtype='v2',smbdomain='WORKGROUP',smbbasic='true',smbsign='ignore',smbpassword=\""'1'1'1'#RC|WNa,#fW/z1@dd'1'1''"\",smbusername='user',smb2-vuln-uptime.skip-os=true,creds.snmp=public --disable-arp-ping --min-rate=600 --max-rate=10000 -oX report_labwin7_password_escapes_d2x.xml 10.10.50.54 where the correct password will be: "'1'1'1'#RC|WNa,#fW/z1@dd'1'1''" chosen on purpose to have lots of quotes and shell break characters to validate the scan itself. Some information I found on the lists are quite old: https://dev.nmap.narkive.com/mbZVDb1B/special-characters-in-script-args https://seclists.org/nmap-dev/2009/q2/393 that using both \"pasword\" or "'password'" would be parsed correctly to lua/nse script, but considering a wide range of passwords with special characters I wanted to know if there is a "silver bullet" to have this content passed correctly to the scripts, or even a more smart way to send this info, using a script-args file, joining arguments into a vector... At some point I will send all the smb parameters to the scan coming from a .php application, where I store the user / credentials / workgroup / domain and send them to the parameters all with the same "escape" character, I tried with " ", ' ' and \" \", and with -d3 on the scan I can see that the parameters with quotes are parsed on lua to get only the content, but in same cases inside quotes are discarded on the password field. Did lots of tests but anyhow I wanted to ask here if there are any tips from this approach I'm trying. I'm using nmap 7.70 on those tests. -- []'s --------------------------------- Carlos Gomes tel: +55(16)3706-8783 Unesp/Franca - FCHS
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- smb NSE scripts with special characters password Carlos Gomes - FCHS (Oct 31)
- Re: smb NSE scripts with special characters password Carlos Gomes - FCHS (Nov 02)
- <Possible follow-ups>
- Re: smb NSE scripts with special characters password Oliver Aldridge (Nov 24)
- Re: smb NSE scripts with special characters password Carlos Gomes - FCHS (Nov 25)