diff options
Diffstat (limited to 'scripts/vnc-info.nse')
-rw-r--r-- | scripts/vnc-info.nse | 163 |
1 files changed, 163 insertions, 0 deletions
diff --git a/scripts/vnc-info.nse b/scripts/vnc-info.nse new file mode 100644 index 0000000..008ee67 --- /dev/null +++ b/scripts/vnc-info.nse @@ -0,0 +1,163 @@ +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local vnc = require "vnc" + +description = [[ +Queries a VNC server for its protocol version and supported security types. +]] + +author = "Patrik Karlsson" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"default", "discovery", "safe"} + +--- +-- @output +-- PORT STATE SERVICE +-- 5900/tcp open vnc +-- | vnc-info: +-- | Protocol version: 3.889 +-- | Security types: +-- | Mac OS X security type (30) +-- |_ Mac OS X security type (35) +-- +-- @xmloutput +-- <elem key="Protocol version">3.8</elem> +-- <table key="Security types"> +-- <table> +-- <elem key="name">Ultra</elem> +-- <elem key="type">17</elem> +-- </table> +-- <table> +-- <elem key="name">VNC Authentication</elem> +-- <elem key="type">2</elem> +-- </table> +-- </table> + +-- Version 0.2 + +-- Created 07/07/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net> +-- Revised 08/14/2010 - v0.2 - changed so that errors are reported even without debugging + + +portrule = shortport.port_or_service( {5900, 5901, 5902} , "vnc", "tcp", "open") + +local function fail(err) return stdnse.format_output(false, err) end + +action = function(host, port) + + local v = vnc.VNC:new( host, port ) + local status, data + local result = stdnse.output_table() + + status, data = v:connect() + if ( not(status) ) then return fail(data) end + + status, data = v:handshake() + if ( not(status) ) then return fail(data) end + + data = v:getSecTypesAsTable() + + result["Protocol version"] = v:getProtocolVersion() + + if ( data and #data ~= 0 ) then + result["Security types"] = data + end + + local none_auth = false + if ( v:supportsSecType(v.sectypes.NONE) ) then + none_auth = true + end + + if v:supportsSecType(v.sectypes.VENCRYPT) then + v:sendSecType(v.sectypes.VENCRYPT) + status, data = v:handshake_vencrypt() + if not status then + stdnse.debug1("Failed to handshake VeNCrypt: %s", data) + else + result["VeNCrypt auth subtypes"] = v:getVencryptTypesAsTable() + if not none_auth then + for i=1, v.vencrypt.count do + if v.vencrypt.types[i] == vnc.VENCRYPT_SUBTYPES.TLSNONE or + v.vencrypt.types[i] == vnc.VENCRYPT_SUBTYPES.TLSNONE then + none_auth = true + break + end + end + end + end + -- Reset the connection for further tests + v:disconnect() + end + + if v:supportsSecType(v.sectypes.TIGHT) then + if not v.socket:get_info() then + -- reconnect if necessary + v:connect() + v:handshake() + end + v:sendSecType(v.sectypes.TIGHT) + status, data = v:handshake_tight() + if not status then + stdnse.debug1("Failed to handshake Tight: %s", data) + else + if v.aten then + result["Tight auth"] = "ATEN KVM VNC" + else + local mt = { + __tostring = function(t) + return string.format("%s %s (%d)", t.vendor, t.signature, t.code) + end + } + local tunnels = {} + for _, t in ipairs(v.tight.tunnels) do + setmetatable(t, mt) + tunnels[#tunnels+1] = t + end + if #tunnels > 0 then + result["Tight auth tunnels"] = tunnels + end + if #v.tight.types == 0 then + none_auth = true + result["Tight auth subtypes"] = {"None"} + else + local subtypes = {} + for _, t in ipairs(v.tight.types) do + if t.code == 1 then + none_auth = true + end + setmetatable(t, mt) + subtypes[#subtypes+1] = t + end + result["Tight auth subtypes"] = subtypes + end + end + end + -- Reset the connection for further tests + v:disconnect() + end + + if v:supportsSecType(v.sectypes.TLS) then + if not v.socket:get_info() then + -- reconnect if necessary + v:connect() + v:handshake() + end + v:sendSecType(v.sectypes.TLS) + status, data = v:handshake_tls() + if not status then + stdnse.debug1("Failed to handshake TLS: %s", data) + else + result["TLS auth subtypes"] = v:getSecTypesAsTable() + if v:supportsSecType(v.sectypes.NONE) then + none_auth = true + end + end + end + + if none_auth then + result["WARNING"] = "Server does not require authentication" + end + + return result +end |