diff --git a/CHANGELOG b/CHANGELOG index c0e108854..45e12710c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,13 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added the script broadcast-pc-anywhere that discovers host running the + PC-Anywhere remote control software on the LAN. [Patrik] + +o [NSE] Added the script broadcast-pc-duo that discovers hosts running the + PC-Duo remote control software on the LAN. [Patrik] + +o Added probes for discovering PC-Duo and PC-Anywhere hosts. [Patrik] + o [NSE] Added support for forcing scripts to run agains certain ports by adding a plus in front of the script name. [Martin Swende] diff --git a/nmap-service-probes b/nmap-service-probes index f489c91b2..087b25943 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -9361,6 +9361,8 @@ match tibia m|^V\0\x02\0Your terminal version is too old\.\nPlease get a new ver match xplorer m|Access violation at address \w+ in module 'Xplorer\.exe'\. Read of address| p/SoftOne Business Xplorer/ o/Windows/ cpe:/o:microsoft:windows/a +match pc-anywhere m|\x1bY2\0\x01\x03B\0\0\x01\0\x14....................\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Symantec PC-Anywhere/ + ##############################NEXT PROBE############################## Probe TCP DistCCD q|DIST00000001ARGC00000005ARGV00000002ccARGV00000002-cARGV00000006nmap.cARGV00000002-oARGV00000006nmap.oDOTI00000000| rarity 8 @@ -10124,4 +10126,25 @@ match sybaseanywhere m|^\x1b\0\0.\0\0\0\0\x12CONNECTIONLESS_TDS\0\0\0\x01\x01\0\ Probe UDP vuze-dht q|\xff\xf0\x97\x0d\x2e\x60\xd1\x6f\0\0\x04\0\0\x55\xab\xec\x32\0\0\0\0\0\x32\x04\x0a\0\xc8\x75\xf8\x16\0\x5c\xb9\x65\0\0\0\0\x4e\xd1\xf5\x28| rarity 8 ports 17555,49152-49156 -match vuze-dht m|^\0\0\x04\x01\0U\xab\xec\xff\xf0\x97\r\.`\xd1o..........|s p/Vuze/ \ No newline at end of file +match vuze-dht m|^\0\0\x04\x01\0U\xab\xec\xff\xf0\x97\r\.`\xd1o..........|s p/Vuze/ + +##############################NEXT PROBE############################## +# PC-Anywhere probe +Probe UDP pc-anywhere q|NQ| +rarity 8 +ports 5632 +match pc-anywhere m|^NR([^_]*)_*AHM_3___\0$|s i/Servername: $1/ p/Symantec PC-Anywhere/ + +##############################NEXT PROBE############################## +# PC-DUO host probe +Probe UDP pc-duo q|\0\x80\x80\x08\xff\0| +rarity 8 +ports 1505 +match pc-duo m|^.........(.*)\0|s i/Servername: $1/ p/Vector PC-Duo/ + +##############################NEXT PROBE############################## +# PC-DUO Gateway probe +Probe UDP pc-duo-gw q|\x20\x90\x80\x08\xff\0| +rarity 8 +ports 2303 +match pc-duo-gw m|^.........(.*)\0|s i/Servername: $1/ p/Vector PC-Duo Gateway Server/ diff --git a/scripts/broadcast-pc-anywhere.nse b/scripts/broadcast-pc-anywhere.nse new file mode 100644 index 000000000..673e80644 --- /dev/null +++ b/scripts/broadcast-pc-anywhere.nse @@ -0,0 +1,65 @@ +description = [[ +Discovers PC-Anywhere hosts running on the LAN +]] + +--- +-- @usage +-- nmap --script broadcast-pc-anywhere +-- +-- @output +-- Pre-scan script results: +-- | broadcast-pc-anywhere: +-- |_ 10.0.200.113 - WIN2K3SRV-1 +-- + +author = "Patrik Karlsson" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = { "broadcast", "safe" } + +local TIMEOUT = tonumber(stdnse.get_script_args("broadcast-pc-anywhere.timeout")) + +prerule = function() return ( nmap.address_family() == "inet") end + +action = function() + + + local host = { ip = "255.255.255.255" } + local port = { number = 5632, protocol = "udp" } + + local socket = nmap.new_socket("udp") + socket:set_timeout(500) + + for i=1,2 do + local status = socket:sendto(host, port, "NQ") + if ( not(status) ) then + return "\n ERROR: Failed to send broadcast request" + end + end + + local timeout = TIMEOUT or ( 20 / ( nmap.timing_level() + 1 ) ) + local responses = {} + local stime = os.time() + + repeat + local status, data = socket:receive() + if ( status ) then + local srvname = data:match("^NR([^_]*)_*AHM_3___\0$") + if ( srvname ) then + local status, _, _, rhost, _ = socket:get_info() + if ( not(status) ) then + socket:close() + return false, "Failed to get socket information" + end + -- avoid duplicates + responses[rhost] = srvname + end + end + until( os.time() - stime > timeout ) + socket:close() + + local result = {} + for ip, name in pairs(responses) do + table.insert(result, ("%s - %s"):format(ip,name)) + end + return stdnse.format_output(true, result) +end \ No newline at end of file diff --git a/scripts/broadcast-pc-duo.nse b/scripts/broadcast-pc-duo.nse new file mode 100644 index 000000000..60b12e225 --- /dev/null +++ b/scripts/broadcast-pc-duo.nse @@ -0,0 +1,122 @@ +description = [[ +Discovers PC-DUO remote control hosts and gateways running on the LAN +]] + +--- +-- @usage +-- nmap --script broadcast-pc-duo +-- +-- @output +-- Pre-scan script results: +-- | broadcast-pc-duo: +-- | PC-Duo Gateway Server +-- | 10.0.200.113 - WIN2K3SRV-1 +-- | PC-Duo Hosts +-- |_ 10.0.200.113 - WIN2K3SRV-1 +-- + +author = "Patrik Karlsson" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = { "broadcast", "safe" } + +local TIMEOUT = tonumber(stdnse.get_script_args("broadcast-pc-duo.timeout")) + +prerule = function() return ( nmap.address_family() == "inet") end + +-- Sends a UDP probe to the server and processes the response +-- @param probe table contaning a pc-duo probe +-- @param responses table containing the responses +local function udpProbe(probe, responses) + + local condvar = nmap.condvar(responses) + local socket = nmap.new_socket("udp") + socket:set_timeout(500) + + for i=1,2 do + local status = socket:sendto(probe.host, probe.port, probe.data) + if ( not(status) ) then + return "\n ERROR: Failed to send broadcast request" + end + end + + local timeout = TIMEOUT or ( 20 / ( nmap.timing_level() + 1 ) ) + local stime = os.time() + local hosts = {} + + repeat + local status, data = socket:receive() + if ( status ) then + local srvname = data:match(probe.match) + if ( srvname ) then + local status, _, _, rhost, _ = socket:get_info() + if ( not(status) ) then + socket:close() + return false, "Failed to get socket information" + end + -- avoid duplicates + hosts[rhost] = srvname + end + end + until( os.time() - stime > timeout ) + socket:close() + + local result = {} + for ip, name in pairs(hosts) do + table.insert(result, ("%s - %s"):format(ip,name)) + end + + if ( #result > 0 ) then + result.name = probe.topic + table.insert(responses, result) + end + + condvar "signal" +end + +action = function() + + -- PC-Duo UDP probes + local probes = { + -- PC-Duo Host probe + { + host = { ip = "255.255.255.255" }, + port = { number = 1505, protocol = "udp" }, + data = bin.pack("H", "00808008ff00"), + match= "^.........(%w*)\0", + topic= "PC-Duo Hosts" + }, + -- PC-Duo Gateway Server probe + { + host = { ip = "255.255.255.255" }, + port = { number = 2303, protocol = "udp" }, + data = bin.pack("H", "20908008ff00"), + match= "^.........(%w*)\0", + topic= "PC-Duo Gateway Server" + }, + } + + local threads, responses = {}, {} + local condvar = nmap.condvar(responses) + + -- start a thread for each probe + for _, p in ipairs(probes) do + local th = stdnse.new_thread( udpProbe, p, responses ) + threads[th] = true + end + + -- wait until the probes are all done + repeat + condvar "wait" + for thread in pairs(threads) do + if coroutine.status(thread) == "dead" then + threads[thread] = nil + end + end + until next(threads) == nil + + table.sort(responses, function(a,b) return a.name < b.name end) + -- did we get any responses + if ( #responses > 0 ) then + return stdnse.format_output(true, responses) + end +end \ No newline at end of file diff --git a/scripts/script.db b/scripts/script.db index 3e9d67c1d..13b3b6446 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -24,6 +24,8 @@ Entry { filename = "broadcast-listener.nse", categories = { "broadcast", "safe", Entry { filename = "broadcast-ms-sql-discover.nse", categories = { "broadcast", "safe", } } Entry { filename = "broadcast-netbios-master-browser.nse", categories = { "broadcast", "safe", } } Entry { filename = "broadcast-novell-locate.nse", categories = { "broadcast", "safe", } } +Entry { filename = "broadcast-pc-anywhere.nse", categories = { "broadcast", "safe", } } +Entry { filename = "broadcast-pc-duo.nse", categories = { "broadcast", "safe", } } Entry { filename = "broadcast-ping.nse", categories = { "broadcast", "discovery", "safe", } } Entry { filename = "broadcast-rip-discover.nse", categories = { "broadcast", "safe", } } Entry { filename = "broadcast-sybase-asa-discover.nse", categories = { "broadcast", "safe", } }