The previous patch allows the port to be specified in the
`ScanTarget{}`.
Since the port option in the Config may not be the port currently being
scanned, delete the `GetPort()` function provided by each module.
The `GetPort()` function is also not used. While we could just change
the meaning of this function, to mean "Return the port in the Config",
it is probably better to go ahead and just remove all references to it
as there are no users.
The port field is tied to the configuration of each instance of
`Scanner` struct. However, applications using zgrab2 scan modules may
want to specify specific ports to scan, without needing to initialize a
whole new module.
This patch adds a pointer to a uint describing a port to `ScanTarget{}`.
If that is nil, the specified port will override the port in the Config.
If the probe for SMB2 fails, close the connection and then try probing
for SMB1 as a backup.
Since there are more SMB2 servers in the wild, that is the first
attempt.
Send SMB1 header, and Negotiation Request message for SMB1.
This brings the zgrab2 smb1 scanner to parity with the zgrab smb1
scanner, with presence detection via smbv1_support.
We check the ProtocolID in the raw data response, for two reasons:
1. Even if the full unmarshal fails for the message, we will log
that it is an smbv1 server
2. We need to add more response types structs, because the format
is different for various SMB1 dialects.
The negotiation response v1 structure is for the SMB1 "NT LM 0.12"
dialect, and is essentially placeholder for now for future parsing.
TODO: Unmarshal into the appropriate message struct based on
SMB1 dialect, and parse dialect and capabilities, and return those
results.
These two functions are largely duplicates, and only differ in the
boolean option passed to LoggedNegotiateProtocol(). Combine the
functions, and just take that option in as an argument to pass along.
The smb library bounds checks for a message size that is too large, but
does not check for a message size that is way too small. Error out if
the message size is not at least as large as the ProtocolID 4-byte
preamble.
This fixes slice out of bound panics when checking the buffer for the
protID string for certain hosts.
Signed-off-by: Jeff Cody <jcody@censys.io>
This parses the capabilities flags for the server, masking off invalid
flags based on dialect.
While both the NegotiationLogs and SessionSetupLog contain capabilities
flags, we extract the flags from the NegotiationLogs to represent the
server, as it is explicitly stated in [MS-SMB2] that those are the ones
that represent the capabilities of the server.
This parses the SMB Version response, and the dialect, to determine the
full SMB version. This is done in accordance to "[MS-SMB2] - v20190430"
from Microsoft, Section 2.2.4.
Previous addition of GetTLSConfigForTarget (811eb38) did not modify
HTTP module to use SNI. This let to the very cryptic unknown-error:
remote error: internal error. Some servers give Fatal alerts when
they don't get an SNI extension. Discovered on a `Pagely-ARES/1.3.21`
Server
