From 5fdc8b5609a343828b928cc6c57928ca5f7213e9 Mon Sep 17 00:00:00 2001 From: dmiller Date: Fri, 29 Jun 2012 19:18:14 +0000 Subject: [PATCH] Add mcafee-epo-agent.nse version script Script to get version and other information from a McAfee (formerly Network Associates) ePolicy Orchestrator Agent. http://seclists.org/nmap-dev/2012/q2/870 --- scripts/mcafee-epo-agent.nse | 77 ++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 scripts/mcafee-epo-agent.nse diff --git a/scripts/mcafee-epo-agent.nse b/scripts/mcafee-epo-agent.nse new file mode 100644 index 000000000..583776e9f --- /dev/null +++ b/scripts/mcafee-epo-agent.nse @@ -0,0 +1,77 @@ +-- mcafee-epo-agent.nse V0.0.2, checks if ePO agent is running +-- Developed by Didier Stevens and Daniel Miller +-- Use at your own risk +-- +-- History: +-- 2012/05/31: Start +-- 2012/06/01: extracting data from XML; tested with ePO 4.5 and 4.6 +-- 2012/06/05: V0.0.2 convertion to version script by Daniel Miller +-- 2012/06/20: new portrule by Daniel Miller + +description = [[ +Check if ePO agent is running on port 8081 or port identified as ePO Agent port +]] + +--- +-- @output +-- PORT STATE SERVICE VERSION +-- 8081/tcp open http McAfee ePolicy Orchestrator Agent 4.5.0.1852 (ePOServerName: EPOSERVER, AgentGuid: D2E157F4-B917-4D31-BEF0-32074BADF081) +-- Service Info: Host: TESTSERVER + +author = "Didier Stevens and Daniel Miller" + +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" + +categories = {"version", "safe"} + +local http = require "http" +local nmap = require "nmap" + +portrule = function(host, port) + if port.version ~= nil and port.version.product ~= nil then + return (port.version.product:find("[eE][pP]olicy Orch") + or port.version.product:find("[eE]PO [aA]gent")) + else + return (port.number == 8081 and port.protocol == "tcp") + end +end + +function string.StartsWith(stringToSearch, stringToFind) + return stringToFind == stringToSearch:sub(1, #stringToFind) +end + +function ExtractXMLElement(xmlContent, elementName) + return xmlContent:match("<" .. elementName .. ">([^<]*)") +end + +action = function(host, port) + local options, data, epoServerName, agentGUID + + -- Change User-Agent string to MSIE so that the ePO agent will reply with XML + options = {header={}} + options['header']['User-Agent'] = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; mcafee-epo-agent)" + data = http.get(host, port, '/', options) + + if data.body then + stdnse.print_debug(2, "mcafee-epo-agent: data.body:sub = %s", data.body:sub(1, 80)) + + if data.body:StartsWith('') then + port.version.hostname = ExtractXMLElement(data.body, "ComputerName") + epoServerName = ExtractXMLElement(data.body, "ePOServerName") or "" + port.version.version = ExtractXMLElement(data.body, "version") or "" + agentGUID = ExtractXMLElement(data.body, "AgentGUID") or "" + + port.version.name = 'http' + port.version.product = 'McAfee ePolicy Orchestrator Agent' + port.version.extrainfo = string.format('ePOServerName: %s, AgentGuid: %s', epoServerName, agentGUID) + nmap.set_port_version(host, port, 'hardmatched') + return nil + end + end + + if nmap.verbosity() > 1 then + return "ePO Agent not found" + else + return nil + end +end