diff --git a/CHANGELOG b/CHANGELOG
index 08ab082b9..29bddba68 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
# Nmap Changelog ($Id$); -*-text-*-
+o [NSE] Added script broadcast-listener that attempts to discover hosts by
+ passively listening to the network. It does so by decoding ethernet and IP
+ broadcast and multicast messages. [Patrik]
+
o Fixed a bug that would make Nmap segfault if it failed to open an interface
using pcap. The bug details and patch are posted here:
http://seclists.org/nmap-dev/2011/q3/365 [Patrik]
diff --git a/nselib/data/packetdecoders.lua b/nselib/data/packetdecoders.lua
new file mode 100644
index 000000000..98530769e
--- /dev/null
+++ b/nselib/data/packetdecoders.lua
@@ -0,0 +1,507 @@
+--- The following file contains a list of decoders used by the
+-- broadcast-listener script. A decoder can be either "ethernet" based or IP
+-- based. As we're only monitoring broadcast traffic (ie. traffic not
+-- explicitly addressed to us) we're mainly dealing with:
+-- o UDP broadcast or multicast traffic
+-- o ethernet broadcast traffic
+--
+-- Hence, the Decoder table defines two sub tables ether and udp.
+-- In order to match an incoming UDP packet the destination port number is
+-- used, therefore each function is indexed based on their destination port
+-- for the udp based decoders. For the ether table each decoder function is
+-- indexed according to a pattern that the decoding engine attempts to match.
+--
+-- Each decoder defines three functions:
+-- o new - creates a new instance of the decoder
+-- o process - process a packet passed through the
+-- data argument.
+-- o getResults - retrieve any discovered results
+--
+-- The discovery engine creates an instance of each decoder once it's needed.
+-- Then discovery engine stores this instance in a decoder table for reference
+-- once the next packet of the same type comes in. This allows the engine to
+-- discard duplicate packets and to request the collected results at the end
+-- of the session.
+--
+-- Currently, the packet decoder decodes the following protocols:
+-- o Ether
+-- x ARP requests (IPv4)
+-- x CDP - Cisco Discovery Protocol
+--
+-- o UDP
+-- x DHCP
+-- x Netbios
+-- x SSDP
+-- x HSRP
+-- x DropBox
+-- x Logitech SqueezeBox Discovery
+-- x Multicast DNS/Bonjour/ZeroConf
+-- x Spotify
+--
+--
+-- @author "Patrik Karlsson "
+-- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html
+
+-- Version 0.1
+-- Created 07/25/2011 - v0.1 - created by Patrik Karlsson
+
+require 'target'
+
+Decoders = {
+
+ ether = {
+
+ -- ARP IPv4
+ ['^00..08000604'] = {
+
+ new = function(self)
+ local o = { dups = {} }
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ process = function(self, data)
+ local ipOps = require("ipOps")
+ local pos, hw, proto, hwsize, protosize, opcode = bin.unpack(">SSCCS", data)
+
+ -- this shouldn't ever happen, given our filter
+ if ( hwsize ~= 6 ) then return end
+ local sender, target = {}, {}
+
+ -- if this isn't an ARP request, abort
+ if ( opcode ~= 1 ) then return end
+
+ pos, sender.mac,
+ sender.ip,
+ target.mac,
+ target.ip = bin.unpack("CCS", data, 9)
+ if ( ver ~= 2 ) then return end
+ if ( not(self.results) ) then
+ self.results = tab.new(4)
+ tab.addrow( self.results, 'ip', 'id', 'platform', 'version' )
+ end
+
+ local result_part = {}
+ while ( pos < #data ) do
+ local typ, len, typdata
+ pos, typ, len = bin.unpack(">SS", data, pos)
+ pos, typdata = bin.unpack("A" .. len - 4, data, pos)
+
+ -- Device ID
+ if ( typ == 1 ) then
+ result_part.id = typdata
+ -- Version
+ elseif ( typ == 5 ) then
+ result_part.version = typdata:match(", Version (.-),")
+ -- Platform
+ elseif ( typ == 6 ) then
+ result_part.platform = typdata
+ -- Address
+ elseif ( typ == 2 ) then
+ -- TODO: add more decoding here ...
+ local pos, count = bin.unpack(">I", typdata)
+ -- for i=1, count do
+ --
+ -- end
+
+ result_part.ip = '?'
+ end
+ end
+
+ -- TODO: add code for dups check
+ if ( not(self.dups[result_part.ip]) ) then
+ self.dups[result_part.ip] = true
+ tab.addrow( self.results, result_part.ip, result_part.id, result_part.platform, result_part.version )
+ end
+ end,
+
+ getResults = function(self) return { name = "CDP", (self.results and tab.dump(self.results) or "") } end,
+ }
+
+ },
+
+ udp = {
+
+ -- DHCP
+ [68] = {
+ new = function(self)
+ local o = { dups = {} }
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ getOption = function(options, name)
+ for _, v in ipairs(options) do
+ if ( v.name == name ) then
+ if ( type(v.value) == "table" ) then
+ return stdnse.strjoin(", ", v.value)
+ else
+ return v.value
+ end
+ end
+ end
+ end,
+
+ process = function(self, layer3)
+ local dhcp = require("dhcp")
+ local p = packet.Packet:new( layer3, #layer3 )
+ local data = layer3:sub(p.udp_offset + 9)
+
+ -- the dhcp.parse function isn't optimal for doing
+ -- this, but it will do for now. First, we need to
+ -- extract the xid as the parse function checks that it
+ -- was the same as in the request, which we didn't do.
+ local pos, msgtype, _, _, _, xid = bin.unpack(" 0 ) then
+ name = dresp.questions[1].dname
+ elseif ( dresp.answers and #dresp.answers > 0 ) then
+ name = dresp.answers[1].dname
+ end
+
+ if ( not(name) ) then return end
+
+ if ( not(self.results) ) then
+ self.results = tab.new(2)
+ tab.addrow( self.results, 'ip', 'query' )
+ end
+
+ -- check for duplicates
+ if ( not(self.dups[("%s:%s"):format(p.ip_src, name)]) ) then
+ tab.addrow( self.results, p.ip_src, name )
+ self.dups[("%s:%s"):format(p.ip_src, name)] = true
+ if ( target.ALLOW_NEW_TARGETS ) then target.add(p.ip_src) end
+ end
+ end,
+
+ getResults = function(self) return { name = "MDNS", (self.results and tab.dump(self.results) or "") } end,
+ },
+
+ --- Spotify
+ [57621] = {
+
+ new = function(self)
+ local o = { dups = {} }
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ process = function(self, layer3)
+ local p = packet.Packet:new( layer3, #layer3 )
+ local data = layer3:sub(p.udp_offset + 9)
+
+ if ( data:match("^SpotUdp") ) then
+ if ( not(self.results) ) then
+ self.results = tab.new(1)
+ tab.addrow( self.results, 'ip' )
+ end
+
+ if ( not(self.dups[p.ip_src]) ) then
+ tab.addrow( self.results, p.ip_src )
+ self.dups[p.ip_src] = true
+ if ( target.ALLOW_NEW_TARGETS ) then target.add(p.ip_src) end
+ end
+ end
+
+ end,
+
+ getResults = function(self) return { name = "Spotify", (self.results and tab.dump(self.results) or "") } end,
+
+ }
+
+ }
+}
\ No newline at end of file
diff --git a/scripts/broadcast-listener.nse b/scripts/broadcast-listener.nse
new file mode 100644
index 000000000..21f41d9c1
--- /dev/null
+++ b/scripts/broadcast-listener.nse
@@ -0,0 +1,278 @@
+description = [[
+The script sniffs the network for incoming broadcast communication and
+attempts to decode the received packets. It supports protocols like CDP, HSRP,
+Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more
+information.
+
+The script attempts to sniff all ethernet based interfaces with an IPv4 address
+unless a specific interface was given using the -e argument to Nmap.
+]]
+
+---
+-- @usage
+-- nmap --script broadcast-listener
+-- nmap --script broadcast-listener -e eth0
+--
+-- @output
+-- | broadcast-listener:
+-- | udp
+-- | Netbios
+-- | ip query
+-- | 192.168.0.60 \x01\x02__MSBROWSE__\x02\x01
+-- | DHCP
+-- | srv ip cli ip mask gw dns
+-- | 192.168.0.1 192.168.0.5 255.255.255.0 192.168.0.1 192.168.0.18, 192.168.0.19
+-- | DropBox
+-- | displayname ip port version host_int namespaces
+-- | 39000860 192.168.0.107 17500 1.8 39000860 28814673, 29981099
+-- | HSRP
+-- | ip version op state prio group secret virtual ip
+-- | 192.168.0.254 0 Hello Active 110 1 cisco 192.168.0.253
+-- | ether
+-- | CDP
+-- | ip id platform version
+-- | ? Router cisco 7206VXR 12.3(23)
+-- | ARP Request
+-- | sender ip sender mac target ip
+-- | 192.168.0.101 00:04:30:26:DA:C8 192.168.0.60
+-- |_ 192.168.0.1 90:24:1D:C8:B9:AE 192.168.0.60
+--
+-- @args broadcast-listener.timeout specifies the amount of seconds to sniff
+-- the network interface. (default 30s)
+--
+-- The script attempts to discover all available ipv4 network interfaces,
+-- unless the Nmap -e argument has been supplied, and then starts sniffing
+-- packets on all of the discovered interfaces. It sets a BPF filter to exclude
+-- all packets that have the interface address as source or destination in
+-- order to capture broadcast traffic.
+--
+-- Incoming packets can either be either layer 3 (usually UDP) or layer 2.
+-- Depending on the layer the packet is matched against a packet decoder loaded
+-- from the external nselib/data/packetdecoder.lua file. A more detailed
+-- description on how the decoders work can be found in that file.
+-- In short, there are two different types of decoders: udp and ether.
+-- The udp decoders get triggered by the destination port number, while the
+-- ether decoders are triggered by a pattern match. The port or pattern is used
+-- as an index in a table containing functions to process packets and fetch
+-- the decoded results.
+--
+
+
+--
+-- Version 0.1
+-- Created 07/02/2011 - v0.1 - created by Patrik Karlsson
+-- Revised 07/25/2011 - v0.2 -
+-- * added more documentation
+-- * added getInterfaces code to detect available
+-- interfaces.
+-- * corrected bug that would fail to load
+-- decoders if not in a relative directory.
+
+
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"safe"}
+
+prerule = function() return true end
+
+require('packet')
+require('tab')
+
+---
+-- loads the decoders from file
+--
+-- @param fname string containing the name of the file
+-- @return status true on success false on failure
+-- @return decoders table of decoder functions on success
+-- @return err string containing the error message on failure
+loadDecoders = function(fname)
+ -- resolve the full, absolute, path
+ local abs_fname = nmap.fetchfile(fname)
+
+ if ( not(abs_fname) ) then
+ return false, ("ERROR: Failed to load decoder definition (%s)"):format(fname)
+ end
+
+ local file = loadfile(abs_fname)
+ if(not(file)) then
+ stdnse.print_debug("%s: Couldn't load decoder file: %s", SCRIPT_NAME, fname)
+ return false, "ERROR: Couldn't load decoder file: " .. fname
+ end
+
+ setfenv(file, setmetatable({Decoders = {}; }, {__index = _G}))
+ file()
+
+ local d = getfenv(file)["Decoders"]
+
+ if ( d ) then return true, d end
+ return false, "ERROR: Failed to load decoders"
+end
+
+---
+-- Starts sniffing the selected interface for packets with a destination that
+-- is not explicitly ours (broadcast, multicast etc.)
+--
+-- @param iface table containing name and address
+-- @param Decoders the decoders class loaded externally
+-- @param decodertab the "result" table to which all discovered items are
+-- reported
+sniffInterface = function(iface, Decoders, decodertab)
+ local condvar = nmap.condvar(decodertab)
+ local sock = nmap.new_socket()
+ local timeout = tonumber(stdnse.get_script_args("broadcast-listener.timeout"))
+
+ -- default to 30 seconds, if nothing else was set
+ timeout = timeout and (timeout * 1000) or (30 * 1000)
+
+ -- We wan't all packets that aren't explicitly for us
+ sock:pcap_open(iface.name, 1500, false, ("!host %s"):format(iface.address))
+
+ -- Set a short timeout so that we can timeout in time if needed
+ sock:set_timeout(100)
+
+ local start_time = nmap.clock_ms()
+ while( nmap.clock_ms() - start_time < timeout ) do
+ local status, _, _, data = sock:pcap_receive()
+
+ if ( status ) then
+ local p = packet.Packet:new( data, #data )
+
+ -- if we have an UDP-based broadcast, we should have a proper packet
+ if ( p and p.udp_dport and ( decodertab.udp[p.udp_dport] or Decoders.udp[p.udp_dport] ) ) then
+ if ( not(decodertab.udp[p.udp_dport]) ) then
+ decodertab.udp[p.udp_dport] = Decoders.udp[p.udp_dport]:new()
+ end
+ decodertab.udp[p.udp_dport]:process(data)
+ -- The packet was decoded successfully but we don't have a valid decoder
+ -- Report this
+ elseif ( p and p.udp_dport ) then
+ stdnse.print_debug(2, "No decoder for dst port %d", p.udp_dport)
+ -- we don't have a packet, so this is most likely something layer2 based
+ -- in that case, check the ether Decoder table for pattern matches
+ else
+ -- attempt to find a match for a pattern
+ local pos, hex = bin.unpack("H" .. #data, data)
+ local decoded = false
+ for match, _ in pairs(Decoders.ether) do
+ -- attempts to match the "raw" packet against a filter
+ -- supplied in each ethernet packet decoder
+ if ( hex:match(match) ) then
+ if ( not(decodertab.ether[match]) ) then
+ decodertab.ether[match] = Decoders.ether[match]:new()
+ end
+ -- start a new decoding thread. This way, if something gets foobared
+ -- the whole script doesn't break, only the packet decoding for that
+ -- specific packet.
+ stdnse.new_thread( decodertab.ether[match].process, decodertab.ether[match], data )
+ decoded = true
+ end
+ end
+ -- no decoder was found for this layer2 packet
+ if ( not(decoded) and #data > 10 ) then
+ stdnse.print_debug(2, "No decoder for packet hex: %s", select(2, bin.unpack("H10", data) ) )
+ end
+ end
+ end
+ end
+ condvar "signal"
+end
+
+---
+-- Gets a list of available interfaces based on link and up filters
+-- Interfaces are only added if they've got an ipv4 address
+--
+-- @param link string containing the link type to filter
+-- @param up string containing the interface status to filter
+-- @return result table containing tables of interfaces
+-- each interface table has the following fields:
+-- name containing the device name
+-- address containing the device address
+getInterfaces = function(link, up)
+ if( not(nmap.list_interfaces) ) then return end
+ local interfaces, err = nmap.list_interfaces()
+ local result
+ if ( not(err) ) then
+ for _, iface in ipairs(interfaces) do
+ if ( iface.link == link and
+ iface.up == up and
+ iface.address ) then
+
+ -- exclude ipv6 addresses for now
+ if ( not(iface.address:match(":")) ) then
+ result = result or {}
+ table.insert(result, { name = iface.device,
+ address = iface.address } )
+ end
+ end
+ end
+ end
+ return result
+end
+
+action = function()
+
+ local DECODERFILE = "nselib/data/packetdecoders.lua"
+ local iface = nmap.get_interface()
+ local interfaces = {}
+
+ -- was an interface supplied using the -e argument?
+ if ( iface ) then
+ local iinfo, err = nmap.get_interface_info(iface)
+
+ if ( not(iinfo.address) ) then
+ return "\n ERROR: The IP address of the interface could not be determined ..."
+ end
+
+ interfaces = { { name = iface, address = iinfo.address } }
+ else
+ -- no interface was supplied, attempt autodiscovery
+ interfaces = getInterfaces("ethernet", "up")
+ end
+
+ -- make sure we have at least one interface to start sniffing
+ if ( #interfaces == 0 ) then
+ return "\n ERROR: Could not determine any valid interfaces"
+ end
+
+ -- load the decoders from file
+ local status, Decoders = loadDecoders(DECODERFILE)
+ if ( not(status) ) then return "\n " .. Decoders end
+
+ -- create a local table to handle instantiated decoders
+ local decodertab = { udp = {}, ether = {} }
+ local condvar = nmap.condvar(decodertab)
+ local threads = {}
+
+ -- start a thread for each interface to sniff
+ for _, iface in ipairs(interfaces) do
+ local co = stdnse.new_thread(sniffInterface, iface, Decoders, decodertab)
+ threads[co] = true
+ end
+
+ -- wait for all threads to finish sniffing
+ repeat
+ condvar "wait"
+ for thread in pairs(threads) do
+ if coroutine.status(thread) == "dead" then
+ threads[thread] = nil
+ end
+ end
+ until next(threads) == nil
+
+ local out_outer = {}
+
+ -- create the results table
+ for proto, _ in pairs(decodertab) do
+ local out_inner = {}
+ for key, decoder in pairs(decodertab[proto]) do
+ table.insert( out_inner, decodertab[proto][key]:getResults() )
+ end
+ if ( #out_inner > 0 ) then
+ table.insert( out_outer, { name = proto, out_inner } )
+ end
+ end
+
+ return stdnse.format_output(true, out_outer)
+
+end
diff --git a/scripts/script.db b/scripts/script.db
index c1c4cffbf..96ae97426 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -9,11 +9,13 @@ Entry { filename = "auth-spoof.nse", categories = { "malware", "safe", } }
Entry { filename = "backorifice-brute.nse", categories = { "auth", "intrusive", } }
Entry { filename = "backorifice-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "banner.nse", categories = { "discovery", "safe", } }
+Entry { filename = "bittorrent-discovery.nse", categories = { "discovery", "safe", } }
Entry { filename = "broadcast-avahi-dos.nse", categories = { "broadcast", "dos", "intrusive", "vuln", } }
Entry { filename = "broadcast-db2-discover.nse", categories = { "broadcast", "safe", } }
Entry { filename = "broadcast-dhcp-discover.nse", categories = { "broadcast", "safe", } }
Entry { filename = "broadcast-dns-service-discovery.nse", categories = { "broadcast", "safe", } }
Entry { filename = "broadcast-dropbox-listener.nse", categories = { "broadcast", "safe", } }
+Entry { filename = "broadcast-listener.nse", categories = { "safe", } }
Entry { filename = "broadcast-ms-sql-discover.nse", categories = { "broadcast", "safe", } }
Entry { filename = "broadcast-netbios-master-browser.nse", categories = { "broadcast", "safe", } }
Entry { filename = "broadcast-novell-locate.nse", categories = { "broadcast", "safe", } }