diff options
Diffstat (limited to 'scripts/omp2-enum-targets.nse')
-rw-r--r-- | scripts/omp2-enum-targets.nse | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/scripts/omp2-enum-targets.nse b/scripts/omp2-enum-targets.nse new file mode 100644 index 0000000..71bbb63 --- /dev/null +++ b/scripts/omp2-enum-targets.nse @@ -0,0 +1,126 @@ +local omp2 = require "omp2" +local shortport = require "shortport" +local stdnse = require "stdnse" +local tab = require "tab" +local table = require "table" +local target = require "target" + +description = [[ +Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server. + +The script authenticates on the manager using provided or previously cracked +credentials and gets the list of defined targets for each account. + +These targets will be added to the scanning queue in case +<code>newtargets</code> global variable is set. +]] + +--- +-- @usage +-- nmap -p 9390 --script omp2-brute,omp2-enum-targets <target> +-- +-- @usage +-- nmap -p 9390 --script omp2-enum-targets --script-args omp2.username=admin,omp2.password=secret <target> +-- +-- @output +-- PORT STATE SERVICE +-- 9390/tcp open openvas +-- | omp2-enum-targets: +-- | Targets for account admin: +-- | TARGET HOSTS +-- | Sales network 192.168.20.0/24 +-- | Production network 192.168.30.0/24 +-- |_ Firewall 192.168.1.254 +-- + + +author = "Henri Doreau" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"discovery", "safe"} +dependencies = {"omp2-brute"} + + + + +portrule = shortport.port_or_service(9390, "openvas") + + +--- Return the list of targets defined for a given user +-- +-- @param host the target host table +-- @param port the targeted OMP port +-- @param username the username to use to login +-- @param password the password to use to login +-- @return the list of targets for this user or nil +local function account_enum_targets(host, port, username, password) + local targets + local session = omp2.Session:new() + + local status, err = session:connect(host, port) + + if not status then + stdnse.debug1("connection failure (%s)", err) + return nil + end + + if session:authenticate(username, password) then + targets = session:ls_targets() + else + stdnse.debug1("authentication failure (%s:%s)", username, password) + end + + session:close() + + return targets +end + +--- Generate the output string representing the list of discovered targets +-- +-- @param targets the list of targets as a name->hosts mapping +-- @return the array as a formatted string +local function report(targets) + local outtab = tab.new() + + tab.add(outtab, 1, "TARGET") + tab.add(outtab, 2, "HOSTS") + tab.nextrow(outtab) + + for name, hosts in pairs(targets) do + tab.addrow(outtab, name, hosts) + end + + return tab.dump(outtab) +end + +action = function(host, port) + local results = {} + local credentials = omp2.get_accounts(host) + + if not credentials then + -- unable to authenticate on the server + return "No valid account available!" + end + + for _, account in pairs(credentials) do + + local username, password = account.username, account.password + + local targets = account_enum_targets(host, port, username, password) + + if targets ~= nil then + table.insert(results, "Targets for account " .. username .. ":") + table.insert(results, report(targets)) + else + table.insert(results, "No targets found for account " .. username) + end + + if target.ALLOW_NEW_TARGETS and targets ~= nil then + stdnse.debug1("adding new targets %s", table.concat(targets, ", ")) + target.add(table.unpack(targets)) + end + + end + + return stdnse.format_output(true, results) +end + |