Also get workstation/redirector name in nbstat. Fixes nmap#1239

rapid7 · Jun 14, 2018 · b624597 · b624597
1 parent ed549d8
commit b624597
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 2 deletions.
diff --git a/nselib/netbios.lua b/nselib/netbios.lua
@@ -176,9 +176,36 @@ function get_server_name(host, names)
     end
   end
 
-  return false, "Couldn't find NetBIOS server name"
+  return true, nil
 end
 
+--- Sends out a UDP probe on port 137 to get the workstation's name (that is, the
+--  unique entry in its NBSTAT table with a 0x00 suffix).
+--@param host The IP or hostname of the server.
+--@param names [optional] The names to use, from <code>do_nbstat</code>.
+--@return (status, result) If status is true, the result is the NetBIOS name.
+--        otherwise, result is an error message.
+function get_server_name(host, names)
+
+  local status
+  local i
+
+  if names == nil then
+    status, names = do_nbstat(host)
+
+    if(status == false) then
+      return false, names
+    end
+  end
+
+  for i = 1, #names, 1 do
+    if names[i]['suffix'] == 0x00 && (names[i]['flags'] & 0x8000 == 0) then
+      return true, names[i]['name']
+    end
+  end
+
+  return true, nil
+end
 --- Sends out a UDP probe on port 137 to get the user's name
 --
 -- User name is the entry in its NBSTAT table with a 0x03 suffix, that isn't

diff --git a/scripts/nbstat.nse b/scripts/nbstat.nse
@@ -33,6 +33,7 @@ owns.
 --
 -- @xmloutput
 -- <elem key="server_name">WINDOWS2003</elem>
+-- <elem key="workstation_name">WINDOWS2003</elem>
 -- <elem key="user">&lt;unknown&gt;</elem>
 -- <table key="mac">
 --   <elem key="manuf">VMware</elem>
@@ -138,6 +139,12 @@ action = function(host)
     return stdnse.format_output(false, server_name)
   end
 
+  -- Get the workstation name
+  status, workstation_name = netbios.get_workstation_name(host, names)
+  if(status == false) then
+    return stdnse.format_output(false, workstation_name)
+  end
+
   -- Get the logged in user
   status, user_name = netbios.get_user_name(host, names)
   if(status == false) then
@@ -156,6 +163,7 @@ action = function(host)
     }
     host.registry['nbstat'] = {
       server_name = server_name,
+      workstation_name = workstation_name,
       mac = mac.address
     }
     -- Samba doesn't set the Mac address, and nmap-mac-prefixes shows that as Xerox
@@ -180,6 +188,7 @@ action = function(host)
   end
 
   response["server_name"] = server_name
+  response["workstation_name"] = workstation_name
   response["user"] = user_name
   response["mac"] = mac
 
@@ -222,7 +231,7 @@ action = function(host)
   setmetatable(response, {
     __tostring = function(t)
       -- Normal single-line result
-      local ret = {string.format("NetBIOS name: %s, NetBIOS user: %s, NetBIOS MAC: %s", t.server_name, t.user, t.mac)}
+      local ret = {string.format("NetBIOS name: %s, NetBIOS user: %s, NetBIOS MAC: %s", t.server_name or t.workstation_name, t.user, t.mac)}
       -- If verbosity is set, dump the whole list of names
       if nmap.verbosity() >= 1 then
         table.insert(ret, string.format("Names:\n%s",t.names))