Skip to content
This repository was archived by the owner on Oct 14, 2020. It is now read-only.

Commit d1def44

Browse files
rfelberrfelber
committed
Implements #3 'Find old SMB Protocol Versions in a network with NMAP'
#3
1 parent a96e413 commit d1def44

File tree

3 files changed

+392
-4
lines changed

3 files changed

+392
-4
lines changed

integrations/nmap/parser/__testFiles__/localhost-smb-script.xml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!DOCTYPE nmaprun>
3+
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
4+
<!-- Nmap 7.80 scan initiated Thu Jun 11 11:45:11 2020 as: nmap -oX /home/securecodebox/nmap-results.xml -Pn -p445 -&#45;script smb-protocols example.com -->
5+
<nmaprun scanner="nmap" args="nmap -oX /home/securecodebox/nmap-results.xml -Pn -p445 -&#45;script smb-protocols example.com" start="1591875911" startstr="Thu Jun 11 11:45:11 2020" version="7.80" xmloutputversion="1.04">
6+
<scaninfo type="connect" protocol="tcp" numservices="1" services="445"/>
7+
<verbose level="0"/>
8+
<debugging level="0"/>
9+
<host starttime="1591875911" endtime="1591875918">
10+
<status state="up" reason="user-set" reason_ttl="0"/>
11+
<address addr="10.50.0.2" addrtype="ipv4"/>
12+
<hostnames>
13+
<hostname name="example.com" type="user"/>
14+
<hostname name="example.com" type="PTR"/>
15+
</hostnames>
16+
<ports>
17+
<port protocol="tcp" portid="445">
18+
<state state="open" reason="syn-ack" reason_ttl="0"/>
19+
<service name="microsoft-ds" method="table" conf="3"/>
20+
</port>
21+
</ports>
22+
<hostscript>
23+
<script id="smb-protocols" output="&#xa; dialects: &#xa; NT LM 0.12 (SMBv1) [dangerous, but default]&#xa; 2.02&#xa; 2.10&#xa; 3.00&#xa; 3.02&#xa; 3.11">
24+
<table key="dialects">
25+
<elem>NT LM 0.12 (SMBv1) [dangerous, but default]</elem>
26+
<elem>2.02</elem>
27+
<elem>2.10</elem>
28+
<elem>3.00</elem>
29+
<elem>3.02</elem>
30+
<elem>3.11</elem>
31+
</table>
32+
</script>
33+
</hostscript>
34+
<times srtt="61544" rttvar="61544" to="307720"/>
35+
</host>
36+
<runstats>
37+
<finished time="1591875918" timestr="Thu Jun 11 11:45:18 2020" elapsed="7.18" summary="Nmap done at Thu Jun 11 11:45:18 2020; 1 IP address (1 host up) scanned in 7.18 seconds" exit="success"/>
38+
<hosts up="1" down="0" total="1"/>
39+
</runstats>
40+
</nmaprun>

integrations/nmap/parser/parser.js

Lines changed: 165 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ async function parse(fileContent) {
66
}
77

88
function transformToFindings(hosts) {
9+
10+
const scriptFindings = transformNMAPScripts(hosts);
11+
912
const portFindings = hosts.flatMap(({ openPorts = [], ...hostInfo }) => {
1013
if(openPorts === null){
1114
return [];
@@ -53,9 +56,161 @@ function transformToFindings(hosts) {
5356
};
5457
});
5558

56-
return [...portFindings, ...hostFindings];
59+
return [...portFindings, ...hostFindings, ...scriptFindings];
60+
}
61+
62+
function transformNMAPScripts(hosts) {
63+
let scriptFindings = [];
64+
65+
for(const host of hosts) {
66+
67+
if(host.scripts) {
68+
for(const script of host.scripts) {
69+
70+
// Parse SMB Script Results
71+
if(script.$.id === 'smb-protocols') {
72+
transformNmapScriptSmb(host, script ,scriptFindings);
73+
}
74+
}
75+
}
76+
}
77+
78+
return scriptFindings;
79+
}
80+
81+
function transformNmapScriptSmb(host, script, scriptFindings) {
82+
// Parse SMB Script Results
83+
if(script.$.id === 'smb-protocols') {
84+
console.log ("Found SMB Script Result: " + script.$.output);
85+
//console.log (script);
86+
87+
if(script.table && script.table[0] && script.table[0].elem) {
88+
89+
for(const elem of script.table[0].elem) {
90+
console.log ("Found SMB SMB Protocol: " + elem);
91+
//console.log (elem);
92+
93+
const smbVersion = parseFloat(elem);
94+
95+
if(elem.toString().includes("SMBv1")) {
96+
scriptFindings.push({
97+
name: "SMB Dangerous Protocol Version Finding SMBv1",
98+
description: `Port ${host.openPorts[0].port} is ${host.openPorts[0].state} using SMB protocol with an old version: SMBv1`,
99+
category: 'SMB',
100+
location: `${host.openPorts[0].protocol}://${host.ip}:${host.openPorts[0].port}`,
101+
osi_layer: 'NETWORK',
102+
severity: 'HIGH',
103+
attributes: {
104+
hostname: host.hostname,
105+
mac_address: host.mac || null,
106+
ip_address: host.ip,
107+
port: host.openPorts[0].port,
108+
state: host.openPorts[0].state,
109+
protocol: host.openPorts[0].protocol,
110+
method: host.openPorts[0].method,
111+
operating_system: host.osNmap || null,
112+
service: host.openPorts[0].service,
113+
serviceProduct: host.openPorts[0].serviceProduct || null,
114+
serviceVersion: host.openPorts[0].serviceVersion || null,
115+
scripts: elem || null,
116+
smb_protocol_version: 1,
117+
}
118+
});
119+
}
120+
else if(!isNaN(smbVersion)) {
121+
if(smbVersion > 0 && smbVersion < 2) {
122+
scriptFindings.push({
123+
name: "SMB Dangerous Protocol Version Finding v"+smbVersion,
124+
description: `Port ${host.openPorts[0].port} is ${host.openPorts[0].state} using SMB protocol with an old version: ` + smbVersion,
125+
category: 'SMB',
126+
location: `${host.openPorts[0].protocol}://${host.ip}:${host.openPorts[0].port}`,
127+
osi_layer: 'NETWORK',
128+
severity: 'MEDIUM',
129+
attributes: {
130+
hostname: host.hostname,
131+
mac_address: host.mac || null,
132+
ip_address: host.ip,
133+
port: host.openPorts[0].port,
134+
state: host.openPorts[0].state,
135+
protocol: host.openPorts[0].protocol,
136+
method: host.openPorts[0].method,
137+
operating_system: host.osNmap || null,
138+
service: host.openPorts[0].service,
139+
serviceProduct: host.openPorts[0].serviceProduct || null,
140+
serviceVersion: host.openPorts[0].serviceVersion || null,
141+
scripts: elem || null,
142+
smb_protocol_version: smbVersion,
143+
}
144+
});
145+
}
146+
if(smbVersion >= 2 && smbVersion < 3) {
147+
scriptFindings.push({
148+
name: "SMB Protocol Version Finding v"+smbVersion,
149+
description: `Port ${host.openPorts[0].port} is ${host.openPorts[0].state} using SMB protocol with an old version: `+ smbVersion,
150+
category: 'SMB',
151+
location: `${host.openPorts[0].protocol}://${host.ip}:${host.openPorts[0].port}`,
152+
osi_layer: 'NETWORK',
153+
severity: 'LOW',
154+
attributes: {
155+
hostname: host.hostname,
156+
mac_address: host.mac || null,
157+
ip_address: host.ip,
158+
port: host.openPorts[0].port,
159+
state: host.openPorts[0].state,
160+
protocol: host.openPorts[0].protocol,
161+
method: host.openPorts[0].method,
162+
operating_system: host.osNmap || null,
163+
service: host.openPorts[0].service,
164+
serviceProduct: host.openPorts[0].serviceProduct || null,
165+
serviceVersion: host.openPorts[0].serviceVersion || null,
166+
scripts: elem || null,
167+
smb_protocol_version: smbVersion,
168+
}
169+
});
170+
}
171+
if(smbVersion >= 3) {
172+
scriptFindings.push({
173+
name: "SMB Protocol Version Finding v"+smbVersion,
174+
description: `Port ${host.openPorts[0].port} is ${host.openPorts[0].state} using SMB protocol with version: ` + smbVersion,
175+
category: 'SMB',
176+
location: `${host.openPorts[0].protocol}://${host.ip}:${host.openPorts[0].port}`,
177+
osi_layer: 'NETWORK',
178+
severity: 'INFORMATIONAL',
179+
attributes: {
180+
hostname: host.hostname,
181+
mac_address: host.mac || null,
182+
ip_address: host.ip,
183+
port: host.openPorts[0].port,
184+
state: host.openPorts[0].state,
185+
protocol: host.openPorts[0].protocol,
186+
method: host.openPorts[0].method,
187+
operating_system: host.osNmap || null,
188+
service: host.openPorts[0].service,
189+
serviceProduct: host.openPorts[0].serviceProduct || null,
190+
serviceVersion: host.openPorts[0].serviceVersion || null,
191+
scripts: elem || null,
192+
smb_protocol_version: smbVersion,
193+
}
194+
});
195+
}
196+
}
197+
}
198+
}
199+
}
57200
}
58201

202+
/**
203+
* Parses a given NMAP XML file to a smaller JSON represenation with the following object:
204+
* {
205+
* hostname: null,
206+
* ip: null,
207+
* mac: null,
208+
* openPorts: null,
209+
* osNmap: null,
210+
* scripts: null
211+
* }
212+
* @param {*} fileContent
213+
*/
59214
function parseResultFile(fileContent) {
60215
return new Promise((resolve, reject) => {
61216
xml2js.parseString(fileContent, (err, xmlInput) => {
@@ -77,9 +232,10 @@ function parseResultFile(fileContent) {
77232
mac: null,
78233
openPorts: null,
79234
osNmap: null,
235+
scripts: null
80236
};
81237

82-
//Get hostname
238+
// Get hostname
83239
if (
84240
host.hostnames &&
85241
host.hostnames[0] !== '\r\n' &&
@@ -88,7 +244,7 @@ function parseResultFile(fileContent) {
88244
newHost.hostname = host.hostnames[0].hostname[0].$.name;
89245
}
90246

91-
//get addresses
247+
// Get addresses
92248
host.address.forEach(address => {
93249
const addressType = address.$.addrtype;
94250
const addressAdress = address.$.addr;
@@ -102,7 +258,7 @@ function parseResultFile(fileContent) {
102258
}
103259
});
104260

105-
//get ports
261+
// Get ports
106262
if (host.ports && host.ports[0].port) {
107263
const portList = host.ports[0].port;
108264

@@ -156,6 +312,11 @@ function parseResultFile(fileContent) {
156312
});
157313
}
158314

315+
// Get Script Content
316+
if(host.hostscript && host.hostscript[0].script) {
317+
newHost.scripts = host.hostscript[0].script
318+
}
319+
159320
if (host.os && host.os[0].osmatch && host.os[0].osmatch[0].$.name) {
160321
newHost.osNmap = host.os[0].osmatch[0].$.name;
161322
}

0 commit comments

Comments
 (0)