403Webshell
Server IP : 80.87.202.40  /  Your IP : 216.73.216.169
Web Server : Apache
System : Linux rospirotorg.ru 5.14.0-539.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 5 22:26:13 UTC 2024 x86_64
User : bitrix ( 600)
PHP Version : 8.2.27
Disable Function : NONE
MySQL : OFF |  cURL : ON |  WGET : ON |  Perl : ON |  Python : OFF |  Sudo : ON |  Pkexec : ON
Directory :  /usr/share/nmap/scripts/

Upload File :
current_dir [ Writeable] document_root [ Writeable]

 

Command :


[ Back ]     

Current File : /usr/share/nmap/scripts/imap-ntlm-info.nse
local comm = require "comm"
local os = require "os"
local datetime = require "datetime"
local shortport = require "shortport"
local sslcert = require "sslcert"
local stdnse = require "stdnse"
local base64 = require "base64"
local smbauth = require "smbauth"
local string = require "string"


description = [[
This script enumerates information from remote IMAP services with NTLM
authentication enabled.

Sending an IMAP NTLM authentication request with null credentials will
cause the remote service to respond with a NTLMSSP message disclosing
information to include NetBIOS, DNS, and OS build version.
]]


---
-- @usage
-- nmap -p 143,993 --script imap-ntlm-info <target>
--
-- @output
-- 143/tcp   open     imap
-- | imap-ntlm-info:
-- |   Target_Name: ACTIVEIMAP
-- |   NetBIOS_Domain_Name: ACTIVEIMAP
-- |   NetBIOS_Computer_Name: IMAP-TEST2
-- |   DNS_Domain_Name: somedomain.com
-- |   DNS_Computer_Name: imap-test2.somedomain.com
-- |   DNS_Tree_Name: somedomain.com
-- |_  Product_Version: 6.1.7601
--
--@xmloutput
-- <elem key="Target_Name">ACTIVEIMAP</elem>
-- <elem key="NetBIOS_Domain_Name">ACTIVEIMAP</elem>
-- <elem key="NetBIOS_Computer_Name">IMAP-TEST2</elem>
-- <elem key="DNS_Domain_Name">somedomain.com</elem>
-- <elem key="DNS_Computer_Name">imap-test2.somedomain.com</elem>
-- <elem key="DNS_Tree_Name">somedomain.com</elem>
-- <elem key="Product_Version">6.1.7601</elem>


author = "Justin Cacak"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}


local ntlm_auth_blob = base64.enc( select(2,
  smbauth.get_security_blob(nil, nil, nil, nil, nil, nil, nil,
    0x00000001 + -- Negotiate Unicode
    0x00000002 + -- Negotiate OEM strings
    0x00000004 + -- Request Target
    0x00000200 + -- Negotiate NTLM
    0x00008000 + -- Negotiate Always Sign
    0x00080000 + -- Negotiate NTLM2 Key
    0x20000000 + -- Negotiate 128
    0x80000000 -- Negotiate 56
    ))
  )

portrule = shortport.port_or_service({ 143, 993 }, { "imap", "imaps" })

action = function(host, port)

  local output = stdnse.output_table()

  local starttls = sslcert.isPortSupported(port)
  local socket
  if starttls then
    local status
    status, socket = starttls(host, port)
    if not status then
      -- could be socket problems, but more likely STARTTLS not supported.
      stdnse.debug1("starttls error: %s", socket)
      socket = nil
    end
  end
  if not socket then
    local line, bopt, first_line
    socket, line, bopt, first_line = comm.tryssl(host, port, "" , {recv_before=true})
    if not socket then
      stdnse.debug1("connection error: %s", line)
      return nil
    end
  end

  socket:send("000b AUTHENTICATE NTLM\r\n")
  local status, response = socket:receive()
  if not status then
    stdnse.debug1("Socket receive failed: %s", response)
    return nil
  end
  if not response then
    stdnse.debug1("No response to AUTHENTICATE NTLM")
    return nil
  end

  socket:send(ntlm_auth_blob .. "\r\n")
  status, response = socket:receive()
  if not status then
    stdnse.debug1("Socket receive failed: %s", response)
    return nil
  end
  if not response then
    stdnse.debug1("No response to NTLM challenge")
    return nil
  end

  local recvtime = os.time()
  socket:close()

  if string.match(response, "^A%d%d%d%d ") then
    stdnse.debug2("NTLM auth not supported.")
    return nil
  end

  -- Continue only if a + response is returned
  local response_decoded = string.match(response, "+ (.*)")
  if not response_decoded then
    stdnse.debug1("Unexpected response to NTLM challenge: %s", response)
    return nil
  end

  local response_decoded = base64.dec(response_decoded)

  -- Continue only if NTLMSSP response is returned
  if not string.match(response_decoded, "^NTLMSSP") then
    stdnse.debug1("Unexpected response to NTLM challenge: %s", response)
    return nil
  end

  -- Leverage smbauth.get_host_info_from_security_blob() for decoding
  local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)

  if ntlm_decoded.timestamp then
    -- 64-bit number of 100ns clicks since 1/1/1601
    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
    datetime.record_skew(host, unixstamp, recvtime)
  end

  -- Target Name will always be returned under any implementation
  output.Target_Name = ntlm_decoded.target_realm

  -- Display information returned & ignore responses with null values
  if ntlm_decoded.netbios_domain_name and #ntlm_decoded.netbios_domain_name > 0 then
    output.NetBIOS_Domain_Name = ntlm_decoded.netbios_domain_name
  end

  if ntlm_decoded.netbios_computer_name and #ntlm_decoded.netbios_computer_name > 0 then
    output.NetBIOS_Computer_Name = ntlm_decoded.netbios_computer_name
  end

  if ntlm_decoded.dns_domain_name and #ntlm_decoded.dns_domain_name > 0 then
    output.DNS_Domain_Name = ntlm_decoded.dns_domain_name
  end

  if ntlm_decoded.fqdn and #ntlm_decoded.fqdn > 0 then
    output.DNS_Computer_Name = ntlm_decoded.fqdn
  end

  if ntlm_decoded.dns_forest_name and #ntlm_decoded.dns_forest_name > 0 then
    output.DNS_Tree_Name = ntlm_decoded.dns_forest_name
  end

  if ntlm_decoded.os_major_version then
    output.Product_Version = string.format("%d.%d.%d",
      ntlm_decoded.os_major_version, ntlm_decoded.os_minor_version, ntlm_decoded.os_build)
  end

  return output

end

Youez - 2016 - github.com/yon3zu
LinuXploit