o [NSE] Split script db2-discover into two scripts, adding a new

broadcast-db2-discover script. This script attempts to discover DB2 database servers through broadcast requests. [Patrik Karlsson]
2025-12-09 14:11:29 +00:00 · 2011-07-10 08:01:26 +00:00
parent 248b53abfa
commit 1feb1bd582
4 changed files with 97 additions and 52 deletions
--- a/4
+++ b/4
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 o [NSE] Split script db2-discover into two scripts, adding a new
  broadcast-db2-discover script. This script attempts to discover DB2
  database servers through broadcast requests. [Patrik Karlsson]
 o Fixed broken XML output in the case of timed-out hosts; the
  enclosing host element was missing. The fix was suggested by Rémi
  Mollon.
--- a/scripts/broadcast-db2-discover.nse
+++ b/scripts/broadcast-db2-discover.nse
@@ -0,0 +1,83 @@
 description = [[
 Attempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp.
 ]]
 ---
 -- @usage
 -- nmap --script db2-discover
 --
 -- @output
 -- Pre-scan script results:
 -- | broadcast-db2-discover: 
 -- |   10.0.200.132 (UBU804-DB2E) - IBM DB2 v9.07.0
 -- |_  10.0.200.119 (EDUSRV011) - IBM DB2 v9.07.0
 -- Version 0.1
 -- Created 07/10/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
 author = "Patrik Karlsson"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"broadcast", "safe"}
 require "stdnse"
 require "shortport"
 require "target"
 prerule = function() return true end
 --- Converts the prodrel server string to a version string
 --
 -- @param server_version string containing the product release
 -- @return ver string containing the version information
 local function parseVersion( server_version )
 	local pfx = string.sub(server_version,1,3)
 	if pfx == "SQL" then
 		local major_version = string.sub(server_version,4,5)
 		-- strip the leading 0 from the major version, for consistency with 
 		-- nmap-service-probes results
 		if string.sub(major_version,1,1) == "0" then
 			major_version = string.sub(major_version,2)
 		end
 		local minor_version = string.sub(server_version,6,7)
 		local hotfix = string.sub(server_version,8)
 		server_version = major_version .. "." .. minor_version .. "." .. hotfix
 	else
 		return "Unknown version"
 	end
 	return ("IBM DB2 v%s"):format(server_version)
 end
 action = function()
 	local DB2GETADDR = "DB2GETADDR\0SQL09010\0"
 	local socket = nmap.new_socket("udp")
 	local result = {}
 	local host, port = "255.255.255.255", 523
 	socket:set_timeout(5000)
 	local status = socket:sendto( host, port, DB2GETADDR )
 	if ( not(status) ) then return end
 	while(true) do
 		local data
 		status, data = socket:receive()
 		if( not(status) ) then break end
 		local version, srvname = data:match("DB2RETADDR.(SQL%d+).(.-)%z")
 		local _, ip
 		status, _, _, ip, _ = socket:get_info()
 		if ( not(status) ) then return end
 		if target.ALLOW_NEW_TARGETS then target.add(ip)	end
 		if ( status ) then
 			table.insert( result, ("%s - Host: %s; Version: %s"):format(ip, srvname, parseVersion( version ) )  )
 		end
 	end
 	socket:close()	
 	return stdnse.format_output( true, result )
 end
--- a/scripts/db2-discover.nse
+++ b/scripts/db2-discover.nse
@@ -4,32 +4,31 @@ Attempts to discover DB2 servers on the network by querying open ibm-db2 UDP por
 ---
 -- @usage
-- sudo ./nmap -sU -p 523 --script db2-discover <ip>
+-- sudo nmap -sU -p 523 --script db2-discover <ip>
 --
 -- @output
 -- PORT    STATE SERVICE
 -- 523/udp open  ibm-db2
 -- | db2-discover: 
-- |   10.0.200.132 (UBU804-DB2E) - IBM DB2 v9.07.0
+-- |   Host: EDUSRV011
-- |_  10.0.200.119 (EDUSRV011) - IBM DB2 v9.07.0
+-- |_  Version: IBM DB2 v9.07.0
 -- Version 0.1
 -- Created 08/27/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
 -- Revised 10/10/2010 - v0.2 - add prerule, newtargets <patrik@cqure.net> 
 -- Revised 10/07/2011 - v0.3 - moved broadcast support to
 --                             broadcast-db2-discover.nse <patrik@cqure.net>
 author = "Patrik Karlsson"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"broadcast", "safe"}
+categories = {"discover", "safe"}
 require "stdnse"
 require "shortport"
 require "target"
 prerule = function() return true end
 portrule = shortport.version_port_or_service(523, "ibm-db2", "udp",
 												{"open", "open|filtered"})
 --- Converts the prodrel server string to a version string
 --
 -- @param server_version string containing the product release
@@ -55,39 +54,7 @@ local function parseVersion( server_version )
 	return ("IBM DB2 v%s"):format(server_version)
 end
-preaction = function()
+action = function(host, port)
 	local DB2GETADDR = "DB2GETADDR\0SQL09010\0"
 	local socket = nmap.new_socket("udp")
 	local result = {}
 	local host, port = "255.255.255.255", 523
 	socket:set_timeout(5000)
 	local status = socket:sendto( host, port, DB2GETADDR )
 	if ( not(status) ) then return end
 	while(true) do
 		local data
 		status, data = socket:receive()
 		if( not(status) ) then break end
 		local version, srvname = data:match("DB2RETADDR.(SQL%d+).(.-)%z")
 		local _, ip
 		status, _, _, ip, _ = socket:get_info()
 		if ( not(status) ) then return end
 		if target.ALLOW_NEW_TARGETS then target.add(ip)	end
 		if ( status ) then
 			table.insert( result, ("%s - Host: %s; Version: %s"):format(ip, srvname, parseVersion( version ) )  )
 		end
 	end
 	socket:close()	
 	return stdnse.format_output( true, result )
 end
 scanaction = function(host, port)
 	local DB2GETADDR = "DB2GETADDR\0SQL09010\0"
 	local socket = nmap.new_socket()
@@ -120,14 +87,4 @@ scanaction = function(host, port)
 	nmap.set_port_state(host, port, "open")
 	return stdnse.format_output( true, result )	
-end
+end
 -- Function dispatch table
 local actions = {
 	prerule = preaction,
 	hostrule = scanaction,
 	portrule = scanaction,
 }
 function action (...) return actions[SCRIPT_TYPE](...) end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -10,6 +10,7 @@ Entry { filename = "backorifice-brute.nse", categories = { "auth", "intrusive",
 Entry { filename = "backorifice-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "banner.nse", categories = { "discovery", "safe", } }
 Entry { filename = "broadcast-avahi-dos.nse", categories = { "broadcast", "dos", "intrusive", "vuln", } }
 Entry { filename = "broadcast-db2-discover.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "broadcast-dns-service-discovery.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "broadcast-dropbox-listener.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "broadcast-ms-sql-discover.nse", categories = { "broadcast", "discovery", "safe", } }
@@ -28,7 +29,7 @@ Entry { filename = "creds-summary.nse", categories = { "auth", "default", "safe"
 Entry { filename = "daap-get-library.nse", categories = { "discovery", "safe", } }
 Entry { filename = "daytime.nse", categories = { "discovery", "safe", } }
 Entry { filename = "db2-das-info.nse", categories = { "discovery", "safe", "version", } }
-Entry { filename = "db2-discover.nse", categories = { "broadcast", "safe", } }
+Entry { filename = "db2-discover.nse", categories = { "discover", "safe", } }
 Entry { filename = "dhcp-discover.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "dns-brute.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "dns-cache-snoop.nse", categories = { "discovery", "intrusive", } }