o [NSE] Merged the ms-sql branch with several improvements and changes to the

ms-sql scripts and library:
  - Improved version detection
  - Improved server discovery
  - Add support for named pipes
  - Add support for integrated authentication
  - Add support for connecting to instances by name or port
  - Improved script and library stability
  - Improved script and library documentation
 [Patrik Karlsson, Chris Woodbury]

scripts/broadcast-ms-sql-discover.nse

@@ -1,55 +1,111 @@
+-- -*- mode: lua -*-
+-- vim: set filetype=lua :
+
 description = [[
 Discovers Microsoft SQL servers in the same broadcast domain.
+
+SQL Server credentials required: No (will not benefit from 
+<code>mssql.username</code> & <code>mssql.password</code>).
+
+The script attempts to discover SQL Server instances in the same broadcast
+domain. Any instances found are stored in the Nmap registry for use by any
+other ms-sql-* scripts that are run in the same scan.
+
+In contrast to the <code>ms-sql-discover</code> script, the broadcast version
+will use a broadcast method rather than targeting individual hosts. However, the
+broadcast version will only use the SQL Server Browser service discovery method.
 ]]
 
+---
+-- @usage 
+-- nmap --script broadcast-ms-sql-discover
+-- nmap --script broadcast-ms-sql-discover,ms-sql-info --script-args=newtargets
 --
--- Version 0.1
+-- @output
+-- | broadcast-ms-sql-discover:
+-- |   192.168.100.128 (WINXP)
+-- |     [192.168.100.128\MSSQLSERVER]
+-- |       Name: MSSQLSERVER
+-- |       Product: Microsoft SQL Server 2000
+-- |       TCP port: 1433
+-- |       Named pipe: \\192.168.100.128\pipe\sql\query
+-- |     [192.168.100.128\SQL2K5]
+-- |       Name: SQL2K5
+-- |       Product: Microsoft SQL Server 2005
+-- |       Named pipe: \\192.168.100.128\pipe\MSSQL$SQL2K5\sql\query
+-- |   192.168.100.150 (SQLSRV)
+-- |     [192.168.100.150\PROD]
+-- |       Name: PROD
+-- |       Product: Microsoft SQL Server 2008
+-- |_      Named pipe: \\192.168.100.128\pipe\sql\query
+--
+
 -- Created 07/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+-- Revised 02/01/2011 - v0.2 - Added compatibility with changes in mssql.lua (Chris Woodbury)
 
 author = "Patrik Karlsson"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"broadcast"}
+categories = {"broadcast", "safe", "discovery"}
 
 require 'mssql'
 require 'target'
+require 'stdnse'
 
 prerule = function() return true end
 
-action = function()
 
-	local OUTPUT_TBL = {
-		["Server name"] = "info.servername",
-		["Version"] = "version.version",
-		["Clustered"] = "info.clustered",
-		["Named pipe"] = "info.pipe",
-		["Tcp port"] = "info.port"
-	}
+--- Adds a label and value to an output table. If the value is a boolean, it is
+--  converted to Yes/No; if the value is nil, nothing is added to the table. 
+local function add_to_output_table( outputTable, outputLabel, outputData )
+
+	if outputData ~= nil then
+		if outputData == true then
+			outputData = "Yes"
+		elseif outputData == false then
+			outputData = "No"
+		end
+		
+		table.insert(outputTable, string.format( "%s: %s", outputLabel, outputData ) )
+	end
+
+end
+
+--- Returns formatted output for the given instance
+local function create_instance_output_table( instance )
+
+	local instanceOutput = {}
+
+	instanceOutput["name"] = string.format( "[%s]", instance:GetName() )
+	add_to_output_table( instanceOutput, "Name", instance.instanceName )
+	if instance.version then add_to_output_table( instanceOutput, "Product", instance.version.productName ) end
+	if instance.port then add_to_output_table( instanceOutput, "TCP port", instance.port.number ) end
+	add_to_output_table( instanceOutput, "Named pipe", instance.pipeName )
+
+	return instanceOutput
+
+end
+
+action = function()
 	
-	local status, result = mssql.Helper.Discover("255.255.255.255", 1434, true)
+	local host = { ip = "255.255.255.255" }
+	local port = { number = 1434, protocol = "udp" }
+	
+	local status, result = mssql.Helper.DiscoverBySsrp(host, port, true)
 	if ( not(status) ) then return end
 
-	local results = {}
-	for ip, instances in pairs(result) do
-		local result_part = {}
-		if target.ALLOW_NEW_TARGETS then target.add(ip)	end
-		for name, info in pairs(instances) do
-			local instance = {}
-			local version
-			status, version = mssql.Util.DecodeBrowserInfoVersion(info)
-			
-			for topic, varname in pairs(OUTPUT_TBL) do
-				local func = loadstring( "return " .. varname )
-				setfenv(func, setmetatable({ info=info; version=version; }, {__index = _G}))
-				local result = func()
-				if ( result ) then
-					table.insert( instance, ("%s: %s"):format(topic, result) )
-				end
-			end
-			instance.name = version.product
-			table.insert( result_part, { name = "Instance: " .. info.name, instance } )
+	local scriptOutput = {}
+	for ip, instanceList in pairs(result) do
+		local serverOutput, serverName = {}, nil
+		target.add( ip )
+		for _, instance in ipairs( instanceList ) do
+			serverName = serverName or instance.serverName
+			local instanceOutput = create_instance_output_table( instance )
+			table.insert(serverOutput, instanceOutput)
 		end
-		result_part.name = ip
-		table.insert( results, result_part )
+		serverOutput.name = string.format( "%s (%s)", ip, serverName )
+		table.insert( scriptOutput, serverOutput )
 	end
-	return stdnse.format_output( true, results )
+	
+	return stdnse.format_output( true, scriptOutput )
+	
 end