From 0edbf3f0735ba2053964cf7374c503b6c590441d Mon Sep 17 00:00:00 2001 From: dmiller Date: Wed, 7 Sep 2016 03:49:31 +0000 Subject: [PATCH] Tridium Fox script, probes, sslports. --- CHANGELOG | 7 ++- nmap-service-probes | 12 +++- nselib/shortport.lua | 1 + scripts/fox-info.nse | 139 +++++++++++++++++++++++++++++++++++++++++++ scripts/script.db | 1 + 5 files changed, 157 insertions(+), 3 deletions(-) create mode 100644 scripts/fox-info.nse diff --git a/CHANGELOG b/CHANGELOG index c2c253a61..24930ed0c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,7 +1,10 @@ # Nmap Changelog ($Id$); -*-text-*- -o New service probe and match lines for PCWorx and ProConOS, based on work by - Stephen Hilt of Digital Bond. +o [NSE] New script: fox-info retrieves detailed version and configuration info + from Tridium Niagara Fox services. [Stephen Hilt] + +o New service probe and match lines for PCWorx, ProConOS, and Tridium Fox, + based on work by Stephen Hilt of Digital Bond. o [NSE] New script: pcworx-info retrieves PLC model, firmware version, and date from Phoenix Contact PLCs. [Stephen Hilt] diff --git a/nmap-service-probes b/nmap-service-probes index 73fd214f9..92cfca54e 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -12303,7 +12303,7 @@ softmatch ftp m|^220[\s-].*ftp[^\r]*\r\n214[\s-]|i # TLSv1-only servers, based on a failed handshake alert. Probe TCP SSLSessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0| rarity 1 -ports 322,443,444,465,548,636,989,990,992,993,994,995,1241,1311,1443,2000,2252,2443,3443,4433,4443,4444,5061,5443,5550,6443,7210,7272,7443,8009,8181,8194,8443,9001,9443,10443,14443,44443,60443 +ports 322,443,444,465,548,636,989,990,992,993,994,995,1241,1311,1443,2000,2252,2443,3443,4433,4443,4444,4911,5061,5443,5550,6443,7210,7272,7443,8009,8181,8194,8443,9001,9443,10443,14443,44443,60443 fallback GetRequest match adabas m|^,\0,\0\x03\x02\0\0G\xd7\xf7\xbaO\x03\0\?\x05\0\0\0\0\x02\x18\0\xfd\x0b\0\0<=\xdbo\xef\x10n \xd5\x96\xc8w\x9b\xe6\xc4\xdb$| p/ADABAS database/ @@ -14962,3 +14962,13 @@ ports 20547 match proconos m|^\xcc\x01...\x02\x92\0V\d+\.\d+ProConOS V([\d.]+) \w\w\w +\d+ \d+\0+\0([^\0]+)\0+([^\0]+)\0+([^\0]+)\0+([^\0]+)\0|s p/ProConOS/ v/$1/ i|PLC: $2; project: $3/$4; source: $5| match echo m|^\xcc\x01\0\x0b@\x02\0\0G\xee| + +##############################NEXT PROBE############################## +# Tridium Niagara Fox +Probe TCP niagara-fox q|fox a 1 -1 fox hello\n{\nfox.version=s:1.0\nid=i:1\n};;\n| +rarity 9 +ports 1911 +sslports 4911 + +match niagara-fox m|^fox a 0 -1 fox hello\n\{\nfox\.version=s:([\d.]+)\nid=i:\d+.*\napp\.name=s:Station\napp\.version=s:([\d.]+)\n|s p/Tridium Niagara/ v/$2/ i/fox version $1/ +softmatch niagara-fox m|^fox a 0| diff --git a/nselib/shortport.lua b/nselib/shortport.lua index 7d5317ef1..7aec9f6a9 100644 --- a/nselib/shortport.lua +++ b/nselib/shortport.lua @@ -196,6 +196,7 @@ local LIKELY_SSL_PORTS = { 995, -- pop3s 3269, -- globalcatLDAPssl 3389, -- ms-wbt-server + 4911, -- ssl/niagara-fox 5061, -- sip-tls 6679, 6697, diff --git a/scripts/fox-info.nse b/scripts/fox-info.nse new file mode 100644 index 000000000..ea28365b7 --- /dev/null +++ b/scripts/fox-info.nse @@ -0,0 +1,139 @@ +local nmap = require "nmap" +local shortport = require "shortport" +local stdnse = require "stdnse" +local comm = require "comm" +local ipOps = require "ipOps" + +description = [[ +Tridium Niagara Fox is a protocol used within Building Automation Systems. Based +off Billy Rios and Terry McCorkle's work this Nmap NSE will collect information +from A Tridium Niagara system. + +http://digitalbond.com + +]] + +--- +-- @usage +-- nmap --script fox-info.nse -p 1911 +-- +-- @output +-- 1911/tcp open Niagara Fox +-- | fox-info: +-- | fox.version: 1.0.1 +-- | hostName: xpvm-0omdc01xmy +-- | hostAddress: 192.168.1.1 +-- | app.name: Workbench +-- | app.version: 3.7.44 +-- | vm.name: Java HotSpot(TM) Server VM +-- | vm.version: 20.4-b02 +-- | os.name: Windows XP +-- | timeZone: America/Chicago +-- | hostId: Win-99CB-D49D-5442-07BB +-- | vmUuid: 8b530bc8-76c5-4139-a2ea-0fabd394d305 +-- |_ brandId: vykon +-- +-- @xmloutput +--1.0.1 +--xpvm-0omdc01xmy +--192.168.1.1 +--Workbench +--3.7.44 +--Java HotSpot(TM) Server VM +--20.4-b02 +--Windows XP +--America/Chicago +--Win-99CB-D49D-5442-07BB +--8b530bc8-76c5-4139-a2ea-0fabd394d305 +--vykon + +author = "Stephen Hilt (Digital Bond)" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"discovery", "version"} + + +portrule = shortport.port_or_service({1911, 4911}, "niagara-fox", "tcp") + +-- Action Function that is used to run the NSE. This function will send the +-- initial query to the host and port that were passed in via nmap. The +-- initial response is parsed to determine if host is a Niagara Fox device. If it +-- is then more actions are taken to gather extra information. +-- +-- @param host Host that was scanned via nmap +-- @param port port that was scanned via nmap +action = function(host, port) + --set the first query data for sending + local orig_query = + [==[fox a 1 -1 fox hello +{ +fox.version=s:1.0 +id=i:1 +};; +]==] + + -- receive response + local socket, response, proto = comm.tryssl(host, port, orig_query) + if not socket then + stdnse.debug1( "Receive error: %s", response) + return nil + end + socket:close() + + if proto == "ssl" then + port.version.service_tunnel = "ssl" + end + + local pos = response:find("{") + if not pos or not response:match("^fox a 0") then + stdnse.debug1("Not Niagara Fox protocol") + return nil + end + + -- output table that will be returned to nmap + local to_return = stdnse.output_table() + + local set = function (key, value) + to_return[key] = value + end + + local dispatch = { + hostName = function (key, value) + if not ipOps.ip_to_str(value) then + -- If this is an IP address, don't set it as a hostname + port.version.hostname = value + end + to_return[key] = value + end, + hostAddress = set, + ["fox.version"] = set, + ["app.name"] = set, + ["app.version"] = set, + ["vm.name"] = set, + ["vm.version"] = set, + ["os.name"] = set, + timeZone = function (key, value) + to_return[key] = value:match("^[^;]+") + end, + hostId = set, + vmUuid = set, + brandId = set, + fatal = set, -- sometimes reports a fatal error about unsupported + } + + for key, value in response:gmatch("\n([%w.]+)=s:([^\n]+)") do + local act = dispatch[key] + if act then + act(key, value) + end + end + + if #to_return <= 0 then + return nil + end + + port.version.name = "niagara-fox" + nmap.set_port_version(host, port) + + -- return output table to nmap + return to_return +end diff --git a/scripts/script.db b/scripts/script.db index 947b3aecf..28702e411 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -113,6 +113,7 @@ Entry { filename = "finger.nse", categories = { "default", "discovery", "safe", Entry { filename = "firewalk.nse", categories = { "discovery", "safe", } } Entry { filename = "firewall-bypass.nse", categories = { "intrusive", "vuln", } } Entry { filename = "flume-master-info.nse", categories = { "default", "discovery", "safe", } } +Entry { filename = "fox-info.nse", categories = { "discovery", "version", } } Entry { filename = "freelancer-info.nse", categories = { "default", "discovery", "safe", "version", } } Entry { filename = "ftp-anon.nse", categories = { "auth", "default", "safe", } } Entry { filename = "ftp-bounce.nse", categories = { "default", "safe", } }