From 0bb036cda2baeb9eb97e9597115dd567a6d62a7d Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Mon, 14 Mar 2016 20:42:51 +0000
Subject: [PATCH] Allow rpcinfo.nse to set version info

The rpcinfo script can now set version info just like rpc-grind. Since
this requires considerably less traffic than rpc-grind, I made rpc-grind
depend on rpcinfo so that it will avoid running if we can get the
version information this way instead.

Also changed rpcinfo to only run on port 111, not on "rpcbind" service
since that's what -sV labels any detected RPC service.
---
 scripts/rpc-grind.nse |  6 ++++--
 scripts/rpcinfo.nse   | 20 +++++++++++++++++++-
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/scripts/rpc-grind.nse b/scripts/rpc-grind.nse
index cb0d935f1..6cf56b07e 100644
--- a/scripts/rpc-grind.nse
+++ b/scripts/rpc-grind.nse
@@ -30,8 +30,8 @@ Any other accept state is an incorrect behaviour.
 -- <target>
 --
 --@output
---PORT      STATE SERVICE          VERSION
---53344/udp open  walld (walld V1) 1 (RPC #100008)
+--PORT      STATE SERVICE VERSION
+--53344/udp open  walld   1 (RPC #100008)
 --
 
 
@@ -41,6 +41,8 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 
 categories = {"version"}
 
+-- Depend on rpcinfo so we don't grind something that's already known.
+dependencies = {"rpcinfo"}
 
 portrule = function(host, port)
   -- Do not run for excluded ports
diff --git a/scripts/rpcinfo.nse b/scripts/rpcinfo.nse
index 80cead5ac..d8e759b3a 100644
--- a/scripts/rpcinfo.nse
+++ b/scripts/rpcinfo.nse
@@ -1,3 +1,4 @@
+local nmap = require "nmap"
 local rpc = require "rpc"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
@@ -77,7 +78,8 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"discovery", "default", "safe"}
 
 
-portrule = shortport.port_or_service(111, "rpcbind", {"tcp", "udp"} )
+-- don't match "rpcbind" because that's what version scan labels any RPC service
+portrule = shortport.portnumber(111, {"tcp", "udp"} )
 
 action = function(host, port)
 
@@ -92,6 +94,22 @@ action = function(host, port)
     for progid, v in pairs(rpcinfo) do
         xmlout[tostring(progid)] = v
         for proto, v2 in pairs(v) do
+          local nmapport = nmap.get_port_state(host, {number=v2.port, protocol=proto})
+          if nmapport and (nmapport.state == "open" or nmapport.state == "open|filtered") then
+            nmapport.version = nmapport.version or {}
+            -- If we don't already knkow it, or we only know that it's "rpcbind"
+            if nmapport.service == nil or nmapport.version.service_dtype == "table" or port.service == "rpcbind" then
+              nmapport.version.name = rpc.Util.ProgNumberToName(progid)
+              nmapport.version.extrainfo = "RPC #" .. progid
+              if #v2.version > 1 then
+                nmapport.version.version = ("%d-%d"):format(v2.version[1], v2.version[#v2.version])
+              else
+                nmapport.version.version = tostring(v2.version[1])
+              end
+              nmap.set_port_version(host, nmapport, "softmatched")
+            end
+          end
+
             table.insert( result, ("%-7d %-10s %5d/%s  %s"):format(progid, stdnse.strjoin(",", v2.version), v2.port, proto, rpc.Util.ProgNumberToName(progid) or "") )
         end
     end