summaryrefslogtreecommitdiffstats
path: root/scripts/smb2-security-mode.nse
blob: ae99caaa4d7f652152ac2a93192d9164e20ffff3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
local smb = require "smb"
local smb2 = require "smb2"
local stdnse = require "stdnse"
local table = require "table"
local nmap = require "nmap"

description = [[
Determines the message signing configuration in SMBv2 servers
 for all supported dialects.

The script sends a SMB2_COM_NEGOTIATE request for each SMB2/SMB3 dialect
 and parses the security mode field to determine the message signing
 configuration of the SMB server.

References:
* https://msdn.microsoft.com/en-us/library/cc246561.aspx
]]

---
-- @usage nmap -p 445 --script smb2-security-mode <target>
-- @usage nmap -p 139 --script smb2-security-mode <target>
--
-- @output
-- | smb2-security-mode:
-- |   3.1.1:
-- |_    Message signing enabled but not required
--
-- @xmloutput
-- <table key="3.1.1">
-- <elem>Message signing enabled but not required</elem>
-- </table>
---

author = "Paulino Calderon"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery", "default"}

hostrule = function(host)
  return smb.get_port(host) ~= nil
end

action = function(host,port)
  local output = stdnse.output_table()

  local status, smbstate = smb.start(host)
  if(status == false) then
    return false, smbstate
  end
  --  SMB signing configuration appears to be global so
  --  there is no point of trying different dialects.
  local status, dialect = smb2.negotiate_v2(smbstate)
  if status then
    local message_signing = {}
    -- Signing configuration. SMBv2 servers support two flags:
    -- * Message signing enabled
    -- * Message signing required
    local signing_enabled, signing_required
    if smbstate['security_mode'] & 0x01 == 0x01 then
      signing_enabled = true
    end
    if smbstate['security_mode'] & 0x02 == 0x02 then
      signing_required = true
    end
    if signing_enabled and signing_required then
      table.insert(message_signing, "Message signing enabled and required")
    elseif signing_enabled and not(signing_required) then
      table.insert(message_signing, "Message signing enabled but not required")
    elseif not(signing_enabled) and not(signing_required) then
      table.insert(message_signing, "Message signing is disabled and not required!")
    elseif not(signing_enabled) and signing_required then
      table.insert(message_signing, "Message signing is disabled!")
    end
    output[smb2.dialect_name(dialect)] = message_signing
    -- We exit after first accepted dialect,
  end

  smb.stop(smbstate)
  status = false

  if #output>0 then
    return output
  else
    stdnse.debug1("No SMB2/SMB3 dialects were accepted.")
    if nmap.verbosity()>1 then
      return "Couldn't establish a SMBv2 connection."
    end
  end
end