1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
local omp2 = require "omp2"
local shortport = require "shortport"
local stdnse = require "stdnse"
local tab = require "tab"
local table = require "table"
local target = require "target"
description = [[
Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server.
The script authenticates on the manager using provided or previously cracked
credentials and gets the list of defined targets for each account.
These targets will be added to the scanning queue in case
<code>newtargets</code> global variable is set.
]]
---
-- @usage
-- nmap -p 9390 --script omp2-brute,omp2-enum-targets <target>
--
-- @usage
-- nmap -p 9390 --script omp2-enum-targets --script-args omp2.username=admin,omp2.password=secret <target>
--
-- @output
-- PORT STATE SERVICE
-- 9390/tcp open openvas
-- | omp2-enum-targets:
-- | Targets for account admin:
-- | TARGET HOSTS
-- | Sales network 192.168.20.0/24
-- | Production network 192.168.30.0/24
-- |_ Firewall 192.168.1.254
--
author = "Henri Doreau"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}
dependencies = {"omp2-brute"}
portrule = shortport.port_or_service(9390, "openvas")
--- Return the list of targets defined for a given user
--
-- @param host the target host table
-- @param port the targeted OMP port
-- @param username the username to use to login
-- @param password the password to use to login
-- @return the list of targets for this user or nil
local function account_enum_targets(host, port, username, password)
local targets
local session = omp2.Session:new()
local status, err = session:connect(host, port)
if not status then
stdnse.debug1("connection failure (%s)", err)
return nil
end
if session:authenticate(username, password) then
targets = session:ls_targets()
else
stdnse.debug1("authentication failure (%s:%s)", username, password)
end
session:close()
return targets
end
--- Generate the output string representing the list of discovered targets
--
-- @param targets the list of targets as a name->hosts mapping
-- @return the array as a formatted string
local function report(targets)
local outtab = tab.new()
tab.add(outtab, 1, "TARGET")
tab.add(outtab, 2, "HOSTS")
tab.nextrow(outtab)
for name, hosts in pairs(targets) do
tab.addrow(outtab, name, hosts)
end
return tab.dump(outtab)
end
action = function(host, port)
local results = {}
local credentials = omp2.get_accounts(host)
if not credentials then
-- unable to authenticate on the server
return "No valid account available!"
end
for _, account in pairs(credentials) do
local username, password = account.username, account.password
local targets = account_enum_targets(host, port, username, password)
if targets ~= nil then
table.insert(results, "Targets for account " .. username .. ":")
table.insert(results, report(targets))
else
table.insert(results, "No targets found for account " .. username)
end
if target.ALLOW_NEW_TARGETS and targets ~= nil then
stdnse.debug1("adding new targets %s", table.concat(targets, ", "))
target.add(table.unpack(targets))
end
end
return stdnse.format_output(true, results)
end
|
