diff --git a/CHANGELOG b/CHANGELOG index 494256bd8..a0619fd7e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Split script db2-discover into two scripts, adding a new + broadcast-db2-discover script. This script attempts to discover DB2 + database servers through broadcast requests. [Patrik Karlsson] + o Fixed broken XML output in the case of timed-out hosts; the enclosing host element was missing. The fix was suggested by RĂ©mi Mollon. diff --git a/scripts/broadcast-db2-discover.nse b/scripts/broadcast-db2-discover.nse new file mode 100644 index 000000000..f8694e1a4 --- /dev/null +++ b/scripts/broadcast-db2-discover.nse @@ -0,0 +1,83 @@ +description = [[ +Attempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp. +]] + +--- +-- @usage +-- nmap --script db2-discover +-- +-- @output +-- Pre-scan script results: +-- | broadcast-db2-discover: +-- | 10.0.200.132 (UBU804-DB2E) - IBM DB2 v9.07.0 +-- |_ 10.0.200.119 (EDUSRV011) - IBM DB2 v9.07.0 + +-- Version 0.1 +-- Created 07/10/2011 - v0.1 - created by Patrik Karlsson + +author = "Patrik Karlsson" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"broadcast", "safe"} + +require "stdnse" +require "shortport" +require "target" + +prerule = function() return true end + +--- Converts the prodrel server string to a version string +-- +-- @param server_version string containing the product release +-- @return ver string containing the version information +local function parseVersion( server_version ) + local pfx = string.sub(server_version,1,3) + + if pfx == "SQL" then + local major_version = string.sub(server_version,4,5) + + -- strip the leading 0 from the major version, for consistency with + -- nmap-service-probes results + if string.sub(major_version,1,1) == "0" then + major_version = string.sub(major_version,2) + end + local minor_version = string.sub(server_version,6,7) + local hotfix = string.sub(server_version,8) + server_version = major_version .. "." .. minor_version .. "." .. hotfix + else + return "Unknown version" + end + + return ("IBM DB2 v%s"):format(server_version) +end + +action = function() + + local DB2GETADDR = "DB2GETADDR\0SQL09010\0" + local socket = nmap.new_socket("udp") + local result = {} + local host, port = "255.255.255.255", 523 + + socket:set_timeout(5000) + local status = socket:sendto( host, port, DB2GETADDR ) + if ( not(status) ) then return end + + while(true) do + local data + status, data = socket:receive() + if( not(status) ) then break end + + local version, srvname = data:match("DB2RETADDR.(SQL%d+).(.-)%z") + local _, ip + status, _, _, ip, _ = socket:get_info() + if ( not(status) ) then return end + + if target.ALLOW_NEW_TARGETS then target.add(ip) end + + if ( status ) then + table.insert( result, ("%s - Host: %s; Version: %s"):format(ip, srvname, parseVersion( version ) ) ) + end + end + socket:close() + + return stdnse.format_output( true, result ) +end \ No newline at end of file diff --git a/scripts/db2-discover.nse b/scripts/db2-discover.nse index 398a35a04..2f495be10 100644 --- a/scripts/db2-discover.nse +++ b/scripts/db2-discover.nse @@ -4,32 +4,31 @@ Attempts to discover DB2 servers on the network by querying open ibm-db2 UDP por --- -- @usage --- sudo ./nmap -sU -p 523 --script db2-discover +-- sudo nmap -sU -p 523 --script db2-discover -- -- @output -- PORT STATE SERVICE -- 523/udp open ibm-db2 -- | db2-discover: --- | 10.0.200.132 (UBU804-DB2E) - IBM DB2 v9.07.0 --- |_ 10.0.200.119 (EDUSRV011) - IBM DB2 v9.07.0 +-- | Host: EDUSRV011 +-- |_ Version: IBM DB2 v9.07.0 -- Version 0.1 -- Created 08/27/2010 - v0.1 - created by Patrik Karlsson -- Revised 10/10/2010 - v0.2 - add prerule, newtargets +-- Revised 10/07/2011 - v0.3 - moved broadcast support to +-- broadcast-db2-discover.nse author = "Patrik Karlsson" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" -categories = {"broadcast", "safe"} +categories = {"discover", "safe"} require "stdnse" require "shortport" -require "target" -prerule = function() return true end portrule = shortport.version_port_or_service(523, "ibm-db2", "udp", {"open", "open|filtered"}) - --- Converts the prodrel server string to a version string -- -- @param server_version string containing the product release @@ -55,39 +54,7 @@ local function parseVersion( server_version ) return ("IBM DB2 v%s"):format(server_version) end -preaction = function() - - local DB2GETADDR = "DB2GETADDR\0SQL09010\0" - local socket = nmap.new_socket("udp") - local result = {} - local host, port = "255.255.255.255", 523 - - socket:set_timeout(5000) - local status = socket:sendto( host, port, DB2GETADDR ) - if ( not(status) ) then return end - - while(true) do - local data - status, data = socket:receive() - if( not(status) ) then break end - - local version, srvname = data:match("DB2RETADDR.(SQL%d+).(.-)%z") - local _, ip - status, _, _, ip, _ = socket:get_info() - if ( not(status) ) then return end - - if target.ALLOW_NEW_TARGETS then target.add(ip) end - - if ( status ) then - table.insert( result, ("%s - Host: %s; Version: %s"):format(ip, srvname, parseVersion( version ) ) ) - end - end - socket:close() - - return stdnse.format_output( true, result ) -end - -scanaction = function(host, port) +action = function(host, port) local DB2GETADDR = "DB2GETADDR\0SQL09010\0" local socket = nmap.new_socket() @@ -120,14 +87,4 @@ scanaction = function(host, port) nmap.set_port_state(host, port, "open") return stdnse.format_output( true, result ) -end - - --- Function dispatch table -local actions = { - prerule = preaction, - hostrule = scanaction, - portrule = scanaction, -} - -function action (...) return actions[SCRIPT_TYPE](...) end +end \ No newline at end of file diff --git a/scripts/script.db b/scripts/script.db index 995946595..44008fd2b 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -10,6 +10,7 @@ Entry { filename = "backorifice-brute.nse", categories = { "auth", "intrusive", Entry { filename = "backorifice-info.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "banner.nse", categories = { "discovery", "safe", } } Entry { filename = "broadcast-avahi-dos.nse", categories = { "broadcast", "dos", "intrusive", "vuln", } } +Entry { filename = "broadcast-db2-discover.nse", categories = { "broadcast", "safe", } } Entry { filename = "broadcast-dns-service-discovery.nse", categories = { "broadcast", "safe", } } Entry { filename = "broadcast-dropbox-listener.nse", categories = { "broadcast", "safe", } } Entry { filename = "broadcast-ms-sql-discover.nse", categories = { "broadcast", "discovery", "safe", } } @@ -28,7 +29,7 @@ Entry { filename = "creds-summary.nse", categories = { "auth", "default", "safe" Entry { filename = "daap-get-library.nse", categories = { "discovery", "safe", } } Entry { filename = "daytime.nse", categories = { "discovery", "safe", } } Entry { filename = "db2-das-info.nse", categories = { "discovery", "safe", "version", } } -Entry { filename = "db2-discover.nse", categories = { "broadcast", "safe", } } +Entry { filename = "db2-discover.nse", categories = { "discover", "safe", } } Entry { filename = "dhcp-discover.nse", categories = { "discovery", "intrusive", } } Entry { filename = "dns-brute.nse", categories = { "discovery", "intrusive", } } Entry { filename = "dns-cache-snoop.nse", categories = { "discovery", "intrusive", } }