o [NSE] Added the script broadcast-pc-anywhere that discovers host running the

PC-Anywhere remote control software on the LAN. [Patrik]

o [NSE] Added the script broadcast-pc-duo that discovers hosts running the
  PC-Duo remote control software on the LAN. [Patrik]

o Added probes for discovering PC-Duo and PC-Anywhere hosts. [Patrik]

CHANGELOG

@@ -1,5 +1,13 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added the script broadcast-pc-anywhere that discovers host running the
+  PC-Anywhere remote control software on the LAN. [Patrik]
+
+o [NSE] Added the script broadcast-pc-duo that discovers hosts running the
+  PC-Duo remote control software on the LAN. [Patrik]
+
+o Added probes for discovering PC-Duo and PC-Anywhere hosts. [Patrik]
+
 o [NSE] Added support for forcing scripts to run agains certain ports by adding
   a plus in front of the script name. [Martin Swende]
 

nmap-service-probes

@@ -9361,6 +9361,8 @@ match tibia m|^V\0\x02\0Your terminal version is too old\.\nPlease get a new ver
 
 match xplorer m|Access violation at address \w+ in module 'Xplorer\.exe'\. Read of address| p/SoftOne Business Xplorer/ o/Windows/ cpe:/o:microsoft:windows/a
 
+match pc-anywhere m|\x1bY2\0\x01\x03B\0\0\x01\0\x14....................\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Symantec PC-Anywhere/
+
 ##############################NEXT PROBE##############################
 Probe TCP DistCCD q|DIST00000001ARGC00000005ARGV00000002ccARGV00000002-cARGV00000006nmap.cARGV00000002-oARGV00000006nmap.oDOTI00000000|
 rarity 8
@@ -10124,4 +10126,25 @@ match sybaseanywhere m|^\x1b\0\0.\0\0\0\0\x12CONNECTIONLESS_TDS\0\0\0\x01\x01\0\
 Probe UDP vuze-dht q|\xff\xf0\x97\x0d\x2e\x60\xd1\x6f\0\0\x04\0\0\x55\xab\xec\x32\0\0\0\0\0\x32\x04\x0a\0\xc8\x75\xf8\x16\0\x5c\xb9\x65\0\0\0\0\x4e\xd1\xf5\x28|
 rarity 8
 ports 17555,49152-49156
-match vuze-dht m|^\0\0\x04\x01\0U\xab\xec\xff\xf0\x97\r\.`\xd1o..........|s p/Vuze/
+match vuze-dht m|^\0\0\x04\x01\0U\xab\xec\xff\xf0\x97\r\.`\xd1o..........|s p/Vuze/
+
+##############################NEXT PROBE##############################
+# PC-Anywhere probe
+Probe UDP pc-anywhere q|NQ|
+rarity 8
+ports 5632
+match pc-anywhere m|^NR([^_]*)_*AHM_3___\0$|s i/Servername: $1/ p/Symantec PC-Anywhere/
+
+##############################NEXT PROBE##############################
+# PC-DUO host probe
+Probe UDP pc-duo q|\0\x80\x80\x08\xff\0|
+rarity 8
+ports 1505
+match pc-duo m|^.........(.*)\0|s i/Servername: $1/ p/Vector PC-Duo/
+
+##############################NEXT PROBE##############################
+# PC-DUO Gateway probe
+Probe UDP pc-duo-gw q|\x20\x90\x80\x08\xff\0|
+rarity 8
+ports 2303
+match pc-duo-gw m|^.........(.*)\0|s i/Servername: $1/ p/Vector PC-Duo Gateway Server/

scripts/broadcast-pc-anywhere.nse

@@ -0,0 +1,65 @@
+description = [[
+Discovers PC-Anywhere hosts running on the LAN
+]]
+
+---
+-- @usage
+-- nmap --script broadcast-pc-anywhere
+--
+-- @output
+-- Pre-scan script results:
+-- | broadcast-pc-anywhere: 
+-- |_  10.0.200.113 - WIN2K3SRV-1
+--
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = { "broadcast", "safe" }
+
+local TIMEOUT = tonumber(stdnse.get_script_args("broadcast-pc-anywhere.timeout"))
+
+prerule = function() return ( nmap.address_family() == "inet") end
+
+action = function()
+
+
+	local host = { ip = "255.255.255.255" }
+	local port = { number = 5632, protocol = "udp" }
+	
+	local socket = nmap.new_socket("udp")
+	socket:set_timeout(500)
+
+	for i=1,2 do
+		local status = socket:sendto(host, port, "NQ")
+		if ( not(status) ) then
+			return "\n  ERROR: Failed to send broadcast request"
+		end
+	end
+		
+	local timeout = TIMEOUT or ( 20 / ( nmap.timing_level() + 1 ) )
+	local responses = {}
+	local stime = os.time()
+	
+	repeat
+		local status, data = socket:receive()
+		if ( status ) then
+			local srvname = data:match("^NR([^_]*)_*AHM_3___\0$")
+			if ( srvname ) then
+				local status, _, _, rhost, _ = socket:get_info()
+				if ( not(status) ) then
+					socket:close()
+					return false, "Failed to get socket information"
+				end
+				-- avoid duplicates
+				responses[rhost] = srvname
+			end
+		end
+	until( os.time() - stime > timeout )
+	socket:close()
+	
+	local result = {}
+	for ip, name in pairs(responses) do
+		table.insert(result, ("%s - %s"):format(ip,name))
+	end
+	return stdnse.format_output(true, result)
+end

scripts/broadcast-pc-duo.nse

@@ -0,0 +1,122 @@
+description = [[
+Discovers PC-DUO remote control hosts and gateways running on the LAN
+]]
+
+---
+-- @usage
+-- nmap --script broadcast-pc-duo
+--
+-- @output
+-- Pre-scan script results:
+-- | broadcast-pc-duo: 
+-- |   PC-Duo Gateway Server
+-- |     10.0.200.113 - WIN2K3SRV-1
+-- |   PC-Duo Hosts
+-- |_    10.0.200.113 - WIN2K3SRV-1
+--
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = { "broadcast", "safe" }
+
+local TIMEOUT = tonumber(stdnse.get_script_args("broadcast-pc-duo.timeout"))
+
+prerule = function() return ( nmap.address_family() == "inet") end
+
+-- Sends a UDP probe to the server and processes the response
+-- @param probe table contaning a pc-duo probe
+-- @param responses table containing the responses
+local function udpProbe(probe, responses)
+	
+	local condvar = nmap.condvar(responses)
+	local socket = nmap.new_socket("udp")
+	socket:set_timeout(500)
+
+	for i=1,2 do
+		local status = socket:sendto(probe.host, probe.port, probe.data)
+		if ( not(status) ) then
+			return "\n  ERROR: Failed to send broadcast request"
+		end
+	end
+		
+	local timeout = TIMEOUT or ( 20 / ( nmap.timing_level() + 1 ) )
+	local stime = os.time()
+	local hosts = {}
+	
+	repeat
+		local status, data = socket:receive()
+		if ( status ) then
+			local srvname = data:match(probe.match)
+			if ( srvname ) then
+				local status, _, _, rhost, _ = socket:get_info()
+				if ( not(status) ) then
+					socket:close()
+					return false, "Failed to get socket information"
+				end
+				-- avoid duplicates
+				hosts[rhost] = srvname
+			end
+		end
+	until( os.time() - stime > timeout )
+	socket:close()
+	
+	local result = {}
+	for ip, name in pairs(hosts) do
+		table.insert(result, ("%s - %s"):format(ip,name))
+	end
+	
+	if ( #result > 0 ) then
+		result.name = probe.topic
+		table.insert(responses, result)
+	end
+	
+	condvar "signal"
+end
+
+action = function()
+	
+	-- PC-Duo UDP probes
+	local probes = {
+		-- PC-Duo Host probe
+		{ 
+			host = { ip = "255.255.255.255" },
+			port = { number = 1505, protocol = "udp" },
+			data =  bin.pack("H", "00808008ff00"),
+			match= "^.........(%w*)\0",
+			topic= "PC-Duo Hosts"
+		},
+		-- PC-Duo Gateway Server probe
+		{ 
+			host = { ip = "255.255.255.255" },
+			port = { number = 2303, protocol = "udp" },
+			data =  bin.pack("H", "20908008ff00"),
+			match= "^.........(%w*)\0",
+			topic= "PC-Duo Gateway Server"
+		},		
+	}
+	
+	local threads, responses = {}, {}
+	local condvar = nmap.condvar(responses)
+	
+	-- start a thread for each probe
+	for _, p in ipairs(probes) do
+		local th = stdnse.new_thread( udpProbe, p, responses )
+		threads[th] = true
+	end
+
+	-- wait until the probes are all done
+	repeat
+		condvar "wait"
+		for thread in pairs(threads) do
+			if coroutine.status(thread) == "dead" then
+				threads[thread] = nil
+			end
+		end
+	until next(threads) == nil
+    
+	table.sort(responses, function(a,b) return a.name < b.name end)
+	-- did we get any responses
+	if ( #responses > 0 ) then
+		return stdnse.format_output(true, responses)
+	end
+end

scripts/script.db

@@ -24,6 +24,8 @@ Entry { filename = "broadcast-listener.nse", categories = { "broadcast", "safe",
 Entry { filename = "broadcast-ms-sql-discover.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "broadcast-netbios-master-browser.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "broadcast-novell-locate.nse", categories = { "broadcast", "safe", } }
+Entry { filename = "broadcast-pc-anywhere.nse", categories = { "broadcast", "safe", } }
+Entry { filename = "broadcast-pc-duo.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "broadcast-ping.nse", categories = { "broadcast", "discovery", "safe", } }
 Entry { filename = "broadcast-rip-discover.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "broadcast-sybase-asa-discover.nse", categories = { "broadcast", "safe", } }