Gyani's Status Report - #15 of 17

[Gyanendra Mishra <anomaly.the () gmail com>]

Hi,

After writing this post I realize there are too many links here. I hope it
passes the mailing list filter :P. Hope everyone had a fun defcon!

Accomplishments
 * Refactored http-fetch and added support for files matching a specific
pattern. The script now allows you to download everything on a server,
download a particular file, or download files matching a specific pattern
depending on the "paths" argument.[1]

 * Fixed a bug in http-svn-enum. The http-svn-enum bug occured because the
earlier parsing depended on the order of xml.[2]

 * Committed the changes made to ganglia-info in the main trunk after some
minor edits to the previous version related to how the functions in the
dispatch tables were called.[3]

 * xmlrpc-methods Changed the function that set the output to 80 columns.
Now this function is called by the __tostring function. Leaving the
xmloutput unchanged
and exactly the same as the text fetched from the server.[4]

 * xmlrpc-methods, http-methods, smtp-commands : All use a __tostring over
ride to show the methods in one line separated by space.[4][5][6]

 * smtp-commands - Replaced the multiple gsub calls with functions that
parse the response. Ran the script against multiple installations I could
find via shodan. The script seems to work well against the different type
of responses returned.[6]

 * cctv-dvr-brute : This script aims to brute force cctv-dvr installations.
This script is modeled after the metasploit module found here[7]. As you
can see the script lacks @xmloutput and @output. This is because I don't
have any cctv installations to test this against. I'll look for but would
appreciate if more users on this list could test it.[8]

 * cctv-dvr-auth-bypass - The script aims to get ppoe, ddns, ftp and
credentials for the web interface by looking for exposed DVR.cfg files.
This is modeled on another metasploit module[9]. This is an http script.
The problem with the script is same as the one above. Though I think it
would be easier to find test instances for this compared to the script
above.[10]

* http-cctv-interface - This script checks for cctv dvr installations with
web interfaces. If one is found then it returns the version. This could
probably be merged with one of the scripts above or become a fingerprint
for http-enum.[11]

* Cleaned up my repository and the script ideas page on SecWiki.

Priorities:
 * Make a call for testing post on the mailing list for the cctv-* scripts
and try to test them myself.

* Go through my scripts and make improvements as I find issues or as I get
feedback on them.

 * Make http-drupal-enum ready for commit.[12]

 * Review pr #106 on GitHub. This deals with the "ls" module that aims to
unify arguments and outputs for "-ls" scripts.[13]

Gyani

[1]https://svn.nmap.org/nmap-exp/gyani/scripts/http-fetch.nse
[2]https://svn.nmap.org/nmap-exp/gyani/scripts/http-svn-enum.nse
[3]https://svn.nmap.org/nmap-exp/gyani/scripts/ganglia-info.nse
[4]https://svn.nmap.org/nmap-exp/gyani/scripts/xmlrpc-methods.nse
[5]https://svn.nmap.org/nmap-exp/gyani/scripts/http-methods.nse
[6]https://svn.nmap.org/nmap-exp/gyani/scripts/smtp-commands.nse
[7]
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/misc/cctv_dvr_login.rb
[8]https://svn.nmap.org/nmap-exp/gyani/scripts/cctv-dvr-brute.nse
[9]
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb
[10]https://svn.nmap.org/nmap-exp/gyani/scripts/cctv-auth-bypass.nse
[11]https://svn.nmap.org/nmap-exp/gyani/scripts/http-cctv-interface.nse
[12]https://svn.nmap.org/nmap-exp/gyani/scripts/http-drupal-enum.nse
[13]https://github.com/nmap/nmap/pull/106

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/