Tridium Fox script, probes, sslports.

CHANGELOG

@@ -1,7 +1,10 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
-o New service probe and match lines for PCWorx and ProConOS, based on work by
-  Stephen Hilt of Digital Bond.
+o [NSE] New script: fox-info retrieves detailed version and configuration info
+  from Tridium Niagara Fox services. [Stephen Hilt]
+
+o New service probe and match lines for PCWorx, ProConOS, and Tridium Fox,
+  based on work by Stephen Hilt of Digital Bond.
 
 o [NSE] New script: pcworx-info retrieves PLC model, firmware version, and date
   from Phoenix Contact PLCs. [Stephen Hilt]

nmap-service-probes

@@ -12303,7 +12303,7 @@ softmatch ftp m|^220[\s-].*ftp[^\r]*\r\n214[\s-]|i
 # TLSv1-only servers, based on a failed handshake alert.
 Probe TCP SSLSessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0|
 rarity 1
-ports 322,443,444,465,548,636,989,990,992,993,994,995,1241,1311,1443,2000,2252,2443,3443,4433,4443,4444,5061,5443,5550,6443,7210,7272,7443,8009,8181,8194,8443,9001,9443,10443,14443,44443,60443
+ports 322,443,444,465,548,636,989,990,992,993,994,995,1241,1311,1443,2000,2252,2443,3443,4433,4443,4444,4911,5061,5443,5550,6443,7210,7272,7443,8009,8181,8194,8443,9001,9443,10443,14443,44443,60443
 fallback GetRequest
 
 match adabas m|^,\0,\0\x03\x02\0\0G\xd7\xf7\xbaO\x03\0\?\x05\0\0\0\0\x02\x18\0\xfd\x0b\0\0<=\xdbo\xef\x10n \xd5\x96\xc8w\x9b\xe6\xc4\xdb$| p/ADABAS database/
@@ -14962,3 +14962,13 @@ ports 20547
 
 match proconos m|^\xcc\x01...\x02\x92\0V\d+\.\d+ProConOS V([\d.]+) \w\w\w +\d+ \d+\0+\0([^\0]+)\0+([^\0]+)\0+([^\0]+)\0+([^\0]+)\0|s p/ProConOS/ v/$1/ i|PLC: $2; project: $3/$4; source: $5|
 match echo m|^\xcc\x01\0\x0b@\x02\0\0G\xee|
+
+##############################NEXT PROBE##############################
+# Tridium Niagara Fox
+Probe TCP niagara-fox q|fox a 1 -1 fox hello\n{\nfox.version=s:1.0\nid=i:1\n};;\n|
+rarity 9
+ports 1911
+sslports 4911
+
+match niagara-fox m|^fox a 0 -1 fox hello\n\{\nfox\.version=s:([\d.]+)\nid=i:\d+.*\napp\.name=s:Station\napp\.version=s:([\d.]+)\n|s p/Tridium Niagara/ v/$2/ i/fox version $1/
+softmatch niagara-fox m|^fox a 0|

nselib/shortport.lua

@@ -196,6 +196,7 @@ local LIKELY_SSL_PORTS = {
   995, -- pop3s
   3269, -- globalcatLDAPssl
   3389, -- ms-wbt-server
+  4911, -- ssl/niagara-fox
   5061, -- sip-tls
   6679,
   6697,

scripts/fox-info.nse

@@ -0,0 +1,139 @@
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local comm = require "comm"
+local ipOps = require "ipOps"
+
+description = [[
+Tridium Niagara Fox is a protocol used within Building Automation Systems. Based
+off Billy Rios and Terry McCorkle's work this Nmap NSE will collect information
+from A Tridium Niagara system.
+
+http://digitalbond.com
+
+]]
+
+---
+-- @usage
+-- nmap --script fox-info.nse -p 1911 <host>
+--
+-- @output
+-- 1911/tcp open  Niagara Fox
+-- | fox-info:
+-- |   fox.version: 1.0.1
+-- |   hostName: xpvm-0omdc01xmy
+-- |   hostAddress: 192.168.1.1
+-- |   app.name: Workbench
+-- |   app.version: 3.7.44
+-- |   vm.name: Java HotSpot(TM) Server VM
+-- |   vm.version: 20.4-b02
+-- |   os.name: Windows XP
+-- |   timeZone: America/Chicago
+-- |   hostId: Win-99CB-D49D-5442-07BB
+-- |   vmUuid: 8b530bc8-76c5-4139-a2ea-0fabd394d305
+-- |_  brandId: vykon
+--
+-- @xmloutput
+--<elem key="fox.version">1.0.1</elem>
+--<elem key="hostName">xpvm-0omdc01xmy</elem>
+--<elem key="hostAddress">192.168.1.1</elem>
+--<elem key="app.name">Workbench</elem>
+--<elem key="app.version">3.7.44</elem>
+--<elem key="vm.name">Java HotSpot(TM) Server VM</elem>
+--<elem key="vm.version">20.4-b02</elem>
+--<elem key="os.Name">Windows XP</elem>
+--<elem key="timeZone">America/Chicago</elem>
+--<elem key="hostId">Win-99CB-D49D-5442-07BB</elem>
+--<elem key="vmUuid">8b530bc8-76c5-4139-a2ea-0fabd394d305</elem>
+--<elem key="brandId">vykon</elem>
+
+author = "Stephen Hilt (Digital Bond)"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discovery", "version"}
+
+
+portrule = shortport.port_or_service({1911, 4911}, "niagara-fox", "tcp")
+
+--  Action Function that is used to run the NSE. This function will send the
+--  initial query to the host and port that were passed in via nmap. The
+--  initial response is parsed to determine if host is a Niagara Fox device. If it
+--  is then more actions are taken to gather extra information.
+--
+-- @param host Host that was scanned via nmap
+-- @param port port that was scanned via nmap
+action = function(host, port)
+  --set the first query data for sending
+  local orig_query =
+  [==[fox a 1 -1 fox hello
+{
+fox.version=s:1.0
+id=i:1
+};;
+]==]
+
+  -- receive response
+  local socket, response, proto = comm.tryssl(host, port, orig_query)
+  if not socket then
+    stdnse.debug1( "Receive error: %s", response)
+    return nil
+  end
+  socket:close()
+
+  if proto == "ssl" then
+    port.version.service_tunnel = "ssl"
+  end
+
+  local pos = response:find("{")
+  if not pos or not response:match("^fox a 0") then
+    stdnse.debug1("Not Niagara Fox protocol")
+    return nil
+  end
+
+  -- output table that will be returned to nmap
+  local to_return = stdnse.output_table()
+
+  local set = function (key, value)
+    to_return[key] = value
+  end
+
+  local dispatch = {
+    hostName = function (key, value)
+      if not ipOps.ip_to_str(value) then
+        -- If this is an IP address, don't set it as a hostname
+        port.version.hostname = value
+      end
+      to_return[key] = value
+    end,
+    hostAddress = set,
+    ["fox.version"] = set,
+    ["app.name"] = set,
+    ["app.version"] = set,
+    ["vm.name"] = set,
+    ["vm.version"] = set,
+    ["os.name"] = set,
+    timeZone = function (key, value)
+      to_return[key] = value:match("^[^;]+")
+    end,
+    hostId = set,
+    vmUuid = set,
+    brandId = set,
+    fatal = set, -- sometimes reports a fatal error about unsupported
+  }
+
+  for key, value in response:gmatch("\n([%w.]+)=s:([^\n]+)") do
+    local act = dispatch[key]
+    if act then
+      act(key, value)
+    end
+  end
+
+  if #to_return <= 0 then
+    return nil
+  end
+
+  port.version.name = "niagara-fox"
+  nmap.set_port_version(host, port)
+
+  -- return output table to nmap
+  return to_return
+end

scripts/script.db

@@ -113,6 +113,7 @@ Entry { filename = "finger.nse", categories = { "default", "discovery", "safe",
 Entry { filename = "firewalk.nse", categories = { "discovery", "safe", } }
 Entry { filename = "firewall-bypass.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "flume-master-info.nse", categories = { "default", "discovery", "safe", } }
+Entry { filename = "fox-info.nse", categories = { "discovery", "version", } }
 Entry { filename = "freelancer-info.nse", categories = { "default", "discovery", "safe", "version", } }
 Entry { filename = "ftp-anon.nse", categories = { "auth", "default", "safe", } }
 Entry { filename = "ftp-bounce.nse", categories = { "default", "safe", } }