Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[PATCH] NSE "Comm" library + 18 shortened scripts
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sat, 12 Apr 2008 21:47:12 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey everyone,

I've attached a new NSE "Comm" library.  Standing for something like
"COMMon COMMunications," this NSElib adds two functions: get_banner()
and exchange().

Obviously the specialized http library and any other protocol-specific
libraries created will be more useful in some circumstances, but as
you'll see below, this library consolidates code in a lot of separate
scripts into these functions.  Maybe any other libraries could use this
one as a back-end.

The top comment in comm.lua goes into some more detail about the usage,
but here's the gist:

comm.get_banner(host, port, [opts])
comm.exchange(host, port, data, [opts])

get_banner() does just what it sounds like it does: connects to the
host, reads whatever it gives us, and then returns it.

connect -> read -> close -> return

exchange() connects to the host, sends the requested data, reads
whatever it gives us, and then returns it.

connect -> send -> read -> close -> return

The functions are designed to be used with exception handling via
nmap.new_try().

An optional table can be passed to these functions, allowing for
additional options.  The table can have the following keys:

bytes - The minimum amount of bytes to receive
lines - The minimum amount of lines to receive
proto - Protocol to connect() with; defaults to "tcp"
timeout - Socket timeout


A whole lot of scripts did the same basic thing: open a socket, possibly
set a timeout, possibly send some data, and then (possibly looping to)
read all of the data.  Now all of that can be done with a single
function call.

I've attached a patch updating 18 scripts to use this library.  This
stripped some of them down to almost nothing.

I haven't been able to test all of the scripts, so I need somebody else
to verify that they work correctly.  Here's a list so far:

Tested
- ------
HTTPtrace
nbstat
ripeQuery
rpcinfo
echoTest
chargenTest
daytimeTest
dns-test-open-recursion
showSMTPVersion
finger

Untested
- --------
MySQLinfo
HTTP_open_proxy
PPTPversion
kibuvDetection
ircZombieTest
iax2Detect
skype_v2-version
mswindowShell


Of course if you could also test the ones I've already done, that'd be
great.  Even just giving a quick look-over the library or patch for any
possible mistakes would be helpful as well.

So:

o Is the interface good?  I think "get_banner" and "exchange" are simple
and concise, but any suggestions for better names are welcome.

o Are there any other options that should be added to the table?

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSAFz7P9K37xXYl36AQKecw/+NHmP47qZ7SM1Nodu8XFWquFnArPPAegj
s69Ea36vBATn3IoDI/qpZV6S+WSc4MYAfiQnU7Tv9sKTPzzrcO+SUjDRi6u6JGDv
V4JM9ToB9JdXWNOFfP+9OzttRFwgQRav//xCkNOYXLjztUn4Nd+KKovDzKGZQlqb
mK7BpujOiyu7kIZKQI6N1hCShv6IqwJAAZXBLmXvBJzeJWDL887luNeUztEt2Eqs
kTEU3Aoey71KmGxXb5pwJQH5R5kPio9EyhFYNCGNM3blCaHAha1IOHbDTicHf4cV
jiLFMTu5/cCoV8SxbqsXVlQBzMeXVW441Ak3tP1/IR/tNa5OdYmCSiS3EsLIDg8k
kBqOdfInDiPNDqBcN671tbCr8czkYMYbOciCh2X5pYdd4I9ixaHJjlMKzYjAxs4N
FEAy4X+gkxVjcOnqCongtFl0WYIylxMsNxcJf5LUO7B64RANXzyAL/ITyicMCRCw
9b5ppcMLGYzcnxk72DOweUYjnL8VfTH6CtLlCQUBo+LYTTlfHV3vP/VmN1jdIQ2E
WWU+uHTvEci2uUCOITU+qGlsDej9sPjlCXqoDpj9RCij3cM1p6ZzQyamlRBK6cOl
nOtEuMrsoSND0a9k5eAdUUqTS1CFKUOT+rdv4+IL0A82D9bA93oI6gnE+LQeuOYS
c6pTHHRzTuw=
=Uy5U
-----END PGP SIGNATURE-----
-- Kris Katterjohn 04/2008

module(..., package.seeall)

------
--
-- The Functions:
--
--   get_banner(host, port, [opts])
--   exchange(host, port, data, [opts])
--
-- get_banner() does just what it sounds like it does: connects to the
-- host, reads whatever it gives us, and then returns it.
--
-- exchange() connects to the host, sends the requested data, reads
-- whatever it gives us, and then returns it.
--
-- Both of these functions return multiple values so that they can be
-- used with exception handling via nmap.new_try().  The second value
-- they return is either the response from the host, or the error message
-- from one of the previous calls (connect, send, receive*).
--
-- These functions can be passed a table of options with the following keys:
--
--   bytes: Specifies the minimum amount of bytes to be read from the host
--   lines: Specifies the minimum amount of lines to be read from the host
--   proto: Specifies the protocol to use.  Defaults to "tcp"
--   timeout: Sets the socket's timeout with nmap.set_timeout()
--
-- If neither lines nor bytes are specified, the calls read as many lines
-- as possible.  If only bytes if specified, then it only tries to read that
-- many bytes.  Likewise, it only lines if specified, then it only tries to
-- read that many lines.  If they're both specified, the lines value is used.
--
------

-- Makes sure that opts exists and the default proto is there
local initopts = function(opts)
        if not opts then
                opts = {}
        end

        if not opts.proto then
                opts.proto = "tcp"
        end

        return opts
end

-- Sets up the socket and connects to host:port
local setup_connect = function(host, port, opts)
        if type(host) ~= "table" then
                host = {ip = host}
        end

        local target = host.targetname or host.ip or host.name

        if type(port) ~= "table" then
                port = {number = port}
        end

        local sock = nmap.new_socket()

        if opts.timeout then
                sock:set_timeout(opts.timeout)
        end

        local status, err = sock:connect(target, port.number, opts.proto)

        if not status then
                return status, err
        end

        return true, sock
end

local read = function(sock, opts)
        if opts.lines then
                return sock:receive_lines(opts.lines)
        elseif opts.bytes then
                return sock:receive_bytes(opts.bytes)
        end

        local response = ""

        while true do
                local status, line = sock:receive_lines(1)

                if not status then
                        break
                end

                response = response .. line
        end

        return true, response
end

get_banner = function(host, port, opts)
        opts = initopts(opts)

        local status, sock = setup_connect(host, port, opts)
        local ret

        if not status then
                -- sock is an error message in this case
                return status, sock
        end

        status, ret = read(sock, opts)

        sock:close()

        return status, ret
end

exchange = function(host, port, data, opts)
        opts = initopts(opts)

        local status, sock = setup_connect(host, port, opts)
        local ret

        if not status then
                -- sock is an error message in this case
                return status, sock
        end

        status, ret = sock:send(data)

        if not status then
                sock:close()
                return status, ret
        end

        status, ret = read(sock, opts)

        sock:close()

        return status, ret
end

Index: scripts/daytimeTest.nse
===================================================================
--- scripts/daytimeTest.nse     (revision 7153)
+++ scripts/daytimeTest.nse     (working copy)
@@ -8,16 +8,13 @@
 
 categories = {"demo"}
 
+require "comm"
 require "shortport"
 
 portrule = shortport.port_or_service(13, "daytime", "udp")
 
 action = function(host, port)
-       local socket = nmap.new_socket()
-       socket:connect(host.ip, port.number, "udp")
-       socket:send("dummy")
-       local status, result = socket:receive_lines(1);
-       socket:close()
+       local status, result = comm.exchange(host, port, "dummy", {lines=1, proto="udp"})
 
        if (result ~= nil) then
                return "Daytime: " .. result
Index: scripts/HTTPtrace.nse
===================================================================
--- scripts/HTTPtrace.nse       (revision 7153)
+++ scripts/HTTPtrace.nse       (working copy)
@@ -18,6 +18,7 @@
 
 categories = {"discovery"}
 
+require "comm"
 require "shortport"
 require "stdnse"
 
@@ -76,31 +77,14 @@
 portrule = shortport.port_or_service({80, 8080}, "http")
 
 action = function(host, port)
-       local cmd, response
-       local socket
+       local cmd = "TRACE / HTTP/1.0\r\n\r\n"
 
-       socket = nmap.new_socket()
+       local status, response = comm.exchange(host, port, cmd, {timeout=5000})
 
-       socket:connect(host.ip, port.number)
-
-       cmd = "TRACE / HTTP/1.0\r\n\r\n"
-
-       socket:send(cmd)
-
-       response = ""
-
-       while true do
-               local status, lines = socket:receive_lines(1)
-
-               if not status then
-                       break
-               end
-
-               response = response .. lines
+       if not status then
+               return
        end
 
-       socket:close()
-
        return validate(response, cmd)
 end
 
Index: scripts/dns-test-open-recursion.nse
===================================================================
--- scripts/dns-test-open-recursion.nse (revision 7153)
+++ scripts/dns-test-open-recursion.nse (working copy)
@@ -9,6 +9,7 @@
 categories = {"intrusive"}
 
 require "bit"
+require "comm"
 require "shortport"
 
 portrule = shortport.portnumber(53, "udp")
@@ -18,12 +19,11 @@
     -- generate dns query, Transaction-ID 0xdead, isc.sans.org (type A, class IN)
        local request = string.char(0xde, 0xad, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03) ..  
"isc" .. string.char(0x04) .. "sans" .. string.char(0x03) ..  "org" .. string.char(0x00, 0x00, 0x01, 0x00, 0x01)
 
-       local socket = nmap.new_socket()
-       socket:connect(host.ip, port.number, "udp")
-       socket:send(request)
+       local status, result = comm.exchange(host, port, request, {proto="udp"})
 
-       local status, result = socket:receive();
-       socket:close()
+       if not status or result == "" then
+               return
+       end
 
     -- parse response for dns flags
     if (bit.band(string.byte(result,3), 0x80) == 0x80
Index: scripts/chargenTest.nse
===================================================================
--- scripts/chargenTest.nse     (revision 7153)
+++ scripts/chargenTest.nse     (working copy)
@@ -8,18 +8,15 @@
 
 categories = {"demo"}
 
+require "comm"
 require "shortport"
 
 portrule = shortport.port_or_service(19, "chargen", "udp")
 
 action = function(host, port)
-       local socket = nmap.new_socket()
-       socket:connect(host.ip, port.number, "udp")
-       socket:send("dummy")
-       local status, result = socket:receive_lines(1);
-       socket:close()
+       local status, result = comm.exchange(host, port, "dummy", {lines=1, proto="udp"})
 
-       if (result ~= nil) then
+       if (result ~= "") then
                return "Chargen: success"
        else
                return "Chargen: something went wrong"
Index: scripts/echoTest.nse
===================================================================
--- scripts/echoTest.nse        (revision 7153)
+++ scripts/echoTest.nse        (working copy)
@@ -9,18 +9,16 @@
 
 categories = {"demo"}
 
+require "comm"
 require "shortport"
 
 portrule = shortport.port_or_service(7, "echo", "udp")
 
 action = function(host, port)
        local echostr = "hello there"
-       local socket = nmap.new_socket()
-       socket:connect(host.ip, port.number, "udp")
-       socket:send(echostr)
-       local status, result = socket:receive_lines(1);
-       socket:close()
 
+       local status, result = comm.exchange(host, port, echostr, {lines=1, proto="udp"})
+
        if (result == echostr) then
                return "UDP Echo: correct response"
        end
Index: scripts/kibuvDetection.nse
===================================================================
--- scripts/kibuvDetection.nse  (revision 7153)
+++ scripts/kibuvDetection.nse  (working copy)
@@ -16,16 +16,14 @@
 
 categories = {"malware"}
 
+require "comm"
 require "shortport"
 
 portrule = shortport.port_or_service({7955, 14920, 42260}, "ftp")
 
 action = function(host, port)
-       local socket = nmap.new_socket()
+       local status, s = comm.get_banner(host, port, {lines=1})
 
-       socket:connect(host.ip, port.number)
-       local status, s = socket:receive_lines(1)
-
        if      string.match(s, "220 StnyFtpd 0wns j0")
                or
                string.match(s, "220 fuckFtpd 0wns j0")
Index: scripts/MySQLinfo.nse
===================================================================
--- scripts/MySQLinfo.nse       (revision 7153)
+++ scripts/MySQLinfo.nse       (working copy)
@@ -18,6 +18,7 @@
 categories = { "discovery", "safe" }
 
 require 'bit'
+require 'comm'
 
 -- Grabs NUL-terminated string
 local getstring = function(orig)
@@ -114,28 +115,14 @@
 end
 
 action = function(host, port)
-       local sock
-       local response = ""
        local output = ""
 
-       sock = nmap.new_socket()
+       local status, response = comm.get_banner(host, ip, {timeout=5000})
 
-       sock:set_timeout(5000)
-
-       sock:connect(host.ip, port.number)
-
-       while true do
-               local status, line = sock:receive_lines(1)
-
-               if not status then
-                       break
-               end
-
-               response = response .. line
+       if not status then
+               return
        end
 
-       sock:close()
-
        local length = ntoh3(response:sub(1, 3))
 
        if length ~= response:len() - 4 then
Index: scripts/skype_v2-version.nse
===================================================================
--- scripts/skype_v2-version.nse        (revision 7153)
+++ scripts/skype_v2-version.nse        (working copy)
@@ -3,6 +3,7 @@
 author = "Brandon Enright <bmenrigh () ucsd edu>" 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
 categories = {"version"}
+require "comm"
 
 portrule = function(host, port)
        if      (port.number == 80 or
@@ -22,42 +23,25 @@
 end
 
 action = function(host, port)
+       local status, result = comm.exchange(host, port, "GET / HTTP/1.0\r\n\r\n", {bytes=26, proto=port.protocol})
 
-       local socket = nmap.new_socket()
-       local result;
-       local status = true
-
-       socket:connect(host.ip, port.number, port.protocol)
-               socket:send("GET / HTTP/1.0\r\n\r\n")
-
-       status, result = socket:receive_bytes(26);
-
        if (not status) then
-               socket:close()
                return
        end
 
        if (result ~= "HTTP/1.0 404 Not Found\r\n\r\n") then
-               socket:close()
                return
        end
        
-       socket:close();
-       
        -- So far so good, now see if we get random data for another request
 
-       socket:connect(host.ip, port.number, port.protocol)
-               socket:send("random data\r\n\r\n")
+       status, result = comm.exchange(host, port, "random data\r\n\r\n", {bytes=15, proto=port.protocol})
 
-       status, result = socket:receive_bytes(15);
-
        if (not status) then
-               socket:close()
                return
        end
 
        if string.match(result, "[^%s!-~].*[^%s!-~].*[^%s!-~].*[^%s!-~]") then
-               socket:close()
                port.version.name = "skype2"
                port.version.confidence = 10
                port.version.fingerprint = nil
@@ -66,7 +50,5 @@
                -- return "Skype v2 server detected"
        end
 
-       socket:close();
-
        return
 end
Index: scripts/showSMTPVersion.nse
===================================================================
--- scripts/showSMTPVersion.nse (revision 7153)
+++ scripts/showSMTPVersion.nse (working copy)
@@ -8,20 +8,14 @@
 
 categories = {"demo"}
 
+require "comm"
 require "shortport"
 
 portrule = shortport.port_or_service(25, "smtp")
 
 action = function(host, port)
-       
-       local client = nmap.new_socket()
+       local status, result = comm.get_banner(host, port, {lines=1})
 
-       client:connect(host.ip, port.number)
-       
-       local status, result = client:receive_lines(1);
-
-       client:close()  
-
        if result ~= nil then
                result = string.gsub(result, "\n", "")
        end
Index: scripts/nbstat.nse
===================================================================
--- scripts/nbstat.nse  (revision 7153)
+++ scripts/nbstat.nse  (working copy)
@@ -11,6 +11,8 @@
 
 categories = {"discovery", "safe"}
 
+require "comm"
+
 -- I have excluded the port function param because it doesn't make much sense
 -- for a hostrule.  It works without warning.  The NSE documentation is
 -- not explicit enough in this regard.  
@@ -49,46 +51,22 @@
 -- Again, I have excluded the port param.  Is this okay on a hostrule?
 action = function(host)
        
-       local socket = nmap.new_socket()
-
-       socket:set_timeout(5000)
-
-       local result
-       local status = true
-
-       status, result = socket:connect(host.ip, 137, "udp")
-
-       if (not status) then
-               -- Can a UDP connect ever fail?
-               return
-       end
-
        -- This is the UDP NetBIOS request packet.  I didn't feel like
        -- actually generating a new one each time so this has been shamelessly
        -- copied from a packet dump of nbtscan.
        -- See http://www.unixwiz.net/tools/nbtscan.html for code.
        -- The magic number in this code is \003\097.
-       status, result = socket:send(
+       local data =
                "\003\097\000\016\000\001\000\000" ..
                "\000\000\000\000\032\067\075\065" ..
                "\065\065\065\065\065\065\065\065" ..
                "\065\065\065\065\065\065\065\065" ..
                "\065\065\065\065\065\065\065\065" ..
                "\065\065\065\065\065\000\000\033" ..
-               "\000\001")
+               "\000\001"
 
-       if (not status) then
-               -- Can the first UDP send ever fail?
-               return
-       end
+       local status, result = comm.exchange(host, 137, data, {bytes=1, proto="udp", timeout=5000})
 
-       -- this receive_bytes will consume all the input available
-       -- with a minimum of 1 byte.
-       status, result = socket:receive_bytes(1);
-
-       -- We don't need this socket anymore
-       socket:close()
-
        if (not status) then
                return
        end
Index: scripts/iax2Detect.nse
===================================================================
--- scripts/iax2Detect.nse      (revision 7153)
+++ scripts/iax2Detect.nse      (working copy)
@@ -9,43 +9,36 @@
 
 categories = {"version"}
 
+require "comm"
 require "shortport"
 
 portrule = shortport.portnumber(4569, "udp")
 
 action = function(host, port)
-       local soc = nmap.new_socket()
-       soc:set_timeout(10000)
-       local conn = soc:connect(host.ip, port.number, port.protocol)
+       -- see http://www.cornfed.com/iax.pdf for all options.
+       local poke = string.char(0x80, 0x00, 0x00, 0x00)
+       poke = poke .. string.char(0x00, 0x00, 0x00, 0x00)  
+       poke = poke .. string.char(0x00, 0x00, 0x06, 0x1e)
 
-       if (conn) then
-               -- see http://www.cornfed.com/iax.pdf for all options.
-               local poke = string.char(0x80, 0x00, 0x00, 0x00)
-               poke = poke .. string.char(0x00, 0x00, 0x00, 0x00)  
-               poke = poke .. string.char(0x00, 0x00, 0x06, 0x1e)
-               soc:send(poke)
+       local status, recv = comm.exchange(host, port, poke, {proto=port.protocol,timeout=10000})
 
-               local status, recv
-               status, recv = soc:receive_bytes(1)
-        
-               if (string.len(recv)) == 12 then
-                       local byte11 = string.format("%02X", string.byte(recv, 11))
-                       local byte12 = string.format("%02X", string.byte(recv, 12))
+       if not status then
+               return
+       end
 
-                       -- byte11 must be \x06 IAX Control Frame
-                       -- and byte12 must be \x03 or \x04
-                       if ((byte11 == "06") and
-                          (byte12 == ("03" or "04"))) 
-                       then
-                               nmap.set_port_state(host, port, "open")
-                           port.version.name = "iax2"
-                           nmap.set_port_version(host, port, "hardmatched")
-                       end
-       
+       if (string.len(recv)) == 12 then
+               local byte11 = string.format("%02X", string.byte(recv, 11))
+               local byte12 = string.format("%02X", string.byte(recv, 12))
+
+               -- byte11 must be \x06 IAX Control Frame
+               -- and byte12 must be \x03 or \x04
+               if ((byte11 == "06") and
+                  (byte12 == ("03" or "04"))) 
+               then
+                       nmap.set_port_state(host, port, "open")
+                   port.version.name = "iax2"
+                   nmap.set_port_version(host, port, "hardmatched")
                end
 
-               soc:close()
-
        end
-
 end
Index: scripts/rpcinfo.nse
===================================================================
--- scripts/rpcinfo.nse (revision 7153)
+++ scripts/rpcinfo.nse (working copy)
@@ -5,6 +5,7 @@
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
 categories = {"safe","discovery"}
 
+require "comm"
 require "shortport"
 require "packet"
 require "datafiles"
@@ -12,14 +13,12 @@
 portrule = shortport.port_or_service(111, "rpcbind")
 
 action = function(host, port)
-  local try, catch
+  local try
   local transaction_id = "nmap"
-  local socket = nmap.new_socket()
   local result = " \n"
   local rpc_numbers
 
-  catch = function() socket:close() end
-  try = nmap.new_try( catch )
+  try = nmap.new_try()
   rpc_numbers = try(datafiles.parse_rpc())
 
   local request = string.char(0x80,0,0,40) -- fragment header
@@ -29,16 +28,8 @@
   request = request .. "\0\0\0\2\0\0\0\4" -- programm version (2) procedure dump(4)
   request = request .. "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"-- Credentials and verifier
 
-  socket:set_timeout(1000)
-  try( socket:connect(host.ip, port.number) )
-  try( socket:send( request ) )
-  local status, answer, answer_part
-  status, answer = socket:receive_bytes( 1 )
-  while status do
-    status, answer_part = socket:receive_bytes( 1 )
-    if status then answer = answer .. answer_part end
-  end
-  socket:close()
+  local answer = try(comm.exchange(host, port, request, {timeout=1000}))
+  local answer_part
 
   local fragment_length = answer:byte(4) + answer:byte(3) * 256 + answer:byte(2) * 65536
   if answer:sub(5,8) == transaction_id and answer:byte(12) == 1 and answer:byte(16) == 0 and answer:byte(28) == 0 then
Index: scripts/HTTP_open_proxy.nse
===================================================================
--- scripts/HTTP_open_proxy.nse (revision 7153)
+++ scripts/HTTP_open_proxy.nse (working copy)
@@ -9,6 +9,8 @@
 description="Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: 
GWS/' header response."
 tags = {"intrusive"}
 
+require 'comm'
+
 -- I found a nice explode() function in lua-users' wiki. I had to fix it, though.
 -- http://lua-users.org/wiki/LuaRecipes
 function explode(d,p)
@@ -39,22 +41,14 @@
 end
 
 action = function(host, port)
-       local socket = nmap.new_socket()
-       local result
-       local status = true
        local response
        local i
 -- We will return this if we don't find "^Server: GWS" in response headers
        local retval
 
-       socket:set_timeout(10000);
-       socket:connect(host.ip, port.number, port.protocol)
-       
 -- Ask proxy to open www.google.com
-       socket:send("GET http://www.google.com HTTP/1.0\r\nHost: www.google.com\r\n\r\n")
-
--- read the response, if any
-       status, result = socket:receive_lines(1)
+       local req = "GET http://www.google.com HTTP/1.0\r\nHost: www.google.com\r\n\r\n"
+       local status, result = comm.exchange(host, port, req, {proto=port.protocol, timeout=10000})
        
 -- Explode result into the response table
        if (status == false) or (result == "TIMEOUT") then
@@ -74,7 +68,5 @@
                end
        end
 
--- close the socket and exit, returning the retval string.
-       socket:close()
        return retval
 end
Index: scripts/finger.nse
===================================================================
--- scripts/finger.nse  (revision 7153)
+++ scripts/finger.nse  (working copy)
@@ -8,29 +8,13 @@
 
 categories = {"discovery"}
 
+require "comm"
 require "shortport"
 
 portrule = shortport.port_or_service(79, "finger")
 
 action = function(host, port)
-       local socket = nmap.new_socket()
-       local results = ""
-       local status = true
+       local try = nmap.new_try()
 
-       local err_catch = function()
-               socket:close()
-       end
-
-       local try = nmap.new_try(err_catch())
-
-       socket:set_timeout(5000)
-       try(socket:connect(host.ip, port.number, port.protocol))
-       try(socket:send("\r\n"))
-
-       status, results = socket:receive_lines(100)
-       socket:close()
-
-       if not(status) then
-               return results
-       end
+       return try(comm.exchange(host, port, "\r\n", {lines=100, proto=port.protocol, timeout=5000}))
 end
Index: scripts/mswindowsShell.nse
===================================================================
--- scripts/mswindowsShell.nse  (revision 7153)
+++ scripts/mswindowsShell.nse  (working copy)
@@ -9,22 +9,14 @@
 
 categories = {"backdoor"}
 
+require "comm"
 require "shortport"
 
 portrule = shortport.port_or_service(8888, "auth")
 
 action = function(host, port)
-       local status = 0
-       local result = ""
+       local status, result = comm.get_banner(host, port, {bytes=4096})
 
-       local client_ident = nmap.new_socket()
-
-       client_ident:connect(host.ip, port.number)
-
-       status, result = client_ident:receive_bytes(4096)
-
-       client_ident:close()
-
        if string.match(result, "Microsoft Windows") then
                return "Possible open windows shell found."
        end
Index: scripts/ircZombieTest.nse
===================================================================
--- scripts/ircZombieTest.nse   (revision 7153)
+++ scripts/ircZombieTest.nse   (working copy)
@@ -9,22 +9,14 @@
 
 categories = {"malware"}
 
+require "comm"
 require "shortport"
 
 portrule = shortport.port_or_service(113, "auth")
 
 action = function(host, port)
-       local status = 0
-       local owner = ""
+       local status, owner = comm.get_banner(host, port, {lines=1})
 
-       local client_ident = nmap.new_socket()
-
-       client_ident:connect(host.ip, port.number)
-
-       status, owner = client_ident:receive_lines(1)
-
-       client_ident:close()
-
        if owner == "TIMEOUT" then
                return
        end
Index: scripts/ripeQuery.nse
===================================================================
--- scripts/ripeQuery.nse       (revision 7153)
+++ scripts/ripeQuery.nse       (working copy)
@@ -1,3 +1,4 @@
+require "comm"
 require "ipOps"
 
 id = "RIPE query"
@@ -12,25 +13,8 @@
 end
 
 action = function(host, port)
-       local socket = nmap.new_socket()
-       local status, line
-       local result = ""
+       local status, result = comm.exchange("whois.ripe.net", 43, host.ip .. "\n")
 
-       socket:connect("whois.ripe.net", 43)
---     socket:connect("193.0.0.135", 43)
-       socket:send(host.ip .. "\n")
-
-       while true do
-               local status, lines = socket:receive_lines(1)
-
-               if not status then
-                       break
-               else
-                       result = result .. lines
-               end
-       end
-       socket:close()
-
        local value  = string.match(result, "role:(.-)\n")
 
        if (value == "see http://www.iana.org.";) then
Index: scripts/PPTPversion.nse
===================================================================
--- scripts/PPTPversion.nse     (revision 7153)
+++ scripts/PPTPversion.nse     (working copy)
@@ -11,6 +11,8 @@
 
 categories = {"version"}
 
+require "comm"
+
 portrule = function(host, port) 
        if 
                port.number == 1723
@@ -24,23 +26,6 @@
 end
 
 action = function(host, port)
-
-       -- create the socket used for our connection
-       local socket = nmap.new_socket()
-       
-       -- set a reasonable timeout value
-       socket:set_timeout(5000)
-       
-       -- do some exception handling / cleanup
-       local catch = function()
-               socket:close()
-       end
-       
-       local try = nmap.new_try(catch)
-       
-       -- connect to the potential PPTP service
-       try(socket:connect(host.ip, port.number, "tcp"))
-       
        local payload
          
        -- build a PPTP Start-Control-Connection-Request packet
@@ -67,24 +52,9 @@
        payload = payload .. "\000\000\000\000\000\000\000\000" -- padding for vendor name
        payload = payload .. "\000\000\000\000" -- padding for vendor name
 
-       try(socket:send(payload))
-       
-       local status
-       local response
-       
-       -- read in any response we might get
-       status, response = socket:receive_bytes(1)
+       local try = nmap.new_try()
+       local response = try(comm.exchange(host, port, payload, {bytes=1, timeout=5000}))
 
-       if (not status) then
-               return
-       end
-
-       if (response == "TIMEOUT") then
-               return
-       end
-
-       try(socket:close())
-       
        local result
                
        -- check to see if the packet we got back matches the beginning of a PPTP Start-Control-Connection-Reply packet

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault