diff --git a/CHANGELOG b/CHANGELOG index 94c13b70d..b3359e0e2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,7 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added the address-info.nse script, which shows extra information about IP addresses. + o [NSE] Added scripts http-joomla-brute, http-wordpress-brute, http-wp-enum and http-awstatstotal-exec. [Paulino] diff --git a/scripts/address-info.nse b/scripts/address-info.nse new file mode 100644 index 000000000..bbdf3ee46 --- /dev/null +++ b/scripts/address-info.nse @@ -0,0 +1,258 @@ +description = [[ +Shows extra information about IP addresses. + +Some IP address formats encode extra information; for example some IPv4 +addresses encode an IPv4 address or MAC address. This script can decode +these address formats: +* IPv4-compatible IPv6 addresses, +* IPv4-mapped IPv6 addresses, +* Teredo IPv6 addresses, +* 6to4 IPv6 addresses, +* IPv6 addresses using an EUI-64 interface ID, +* IPv4-embedded IPv6 addresses, +* IPv4-translated IPv6 addresses and +* ISATAP Modified EUI-64 IPv6 addresses. + +See RFC 4291 for general IPv6 addressing architecture and the +definitions of some terms. +]] + +--- +-- @output +-- Nmap scan report for ::1.2.3.4 +-- Host script results: +-- |_address-info: IPv4-compatible; IPv4 address: 1.2.3.4 +-- +-- Nmap scan report for ::ffff:1.2.3.4 +-- Host script results: +-- |_address-info: IPv4-mapped; IPv4 address: 1.2.3.4 +-- +-- Nmap scan report for 2001:0:506:708:282a:3d75:fefd:fcfb +-- Host script results: +-- | address-info: Teredo; +-- | Server IPv4 address: 5.6.7.8 +-- | Client IPv4 address: 1.2.3.4 +-- |_ UDP port: 49802 +-- +-- Nmap scan report for 2002:102:304::1 +-- Host script results: +-- |_address-info: 6to4; IPv4 address: 1.2.3.4 +-- +-- Nmap scan report for fe80::a8bb:ccff:fedd:eeff +-- Host script results: +-- |_address-info: IPv6 EUI-64; MAC address: aa:bb:cc:dd:ee:ff +-- +-- Nmap scan report for 64:ff9b::c000:221 +-- Host script results: +-- |_address-info: IPv4-embedded IPv6 address; IPv4 address: 192.0.2.33 +-- +-- Nmap scan report for ::ffff:0:c0a8:101 +-- Host script results: +-- |_address-info: IPv4-translated IPv6 address; IPv4 address: 192.168.1.1 +-- + +-- * ISATAP. RFC 5214. +-- XXXX:XXXX:XXXX:XX00:0000:5EFE:a.b.c.d + +author = "David Fifield" + +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" + +categories = {"default", "safe"} + +require("bit") +require("stdnse") + +hostrule = function(host) + return true +end + +-- Match an address (array of bytes) against a hex-encoded pattern. "XX" in the +-- pattern is a wildcard. +local function matches(addr, pattern) + local octet_patterns + + octet_patterns = {} + for op in pattern:gmatch("([%xX][%xX])") do + octet_patterns[#octet_patterns + 1] = op + end + + if #addr ~= #octet_patterns then + return false + end + + for i = 1, #addr do + local a, op + + a = addr[i] + op = octet_patterns[i] + if not (op == "XX" or a == tonumber(op, 16)) then + return false + end + end + + return true +end + +local function format_mac(mac) + local octets + + octets = {} + for _, v in ipairs(mac) do + octets[#octets + 1] = string.format("%02x", v) + end + + return stdnse.strjoin(":", octets) +end + +local function format_ipv4(ipv4) + local octets + + octets = {} + for _, v in ipairs(ipv4) do + octets[#octets + 1] = string.format("%d", v) + end + + return stdnse.strjoin(".", octets) +end + +local function do_ipv4(addr) +end + +-- EUI-64 from MAC, RFC 4291. +local function decode_eui_64(eui_64) + if eui_64[4] == 0xff and eui_64[5] == 0xfe then + return { bit.bxor(eui_64[1], 0x02), + eui_64[2], eui_64[3], eui_64[6], eui_64[7], eui_64[8] } + end +end + +local function format_output(label, lines) + local output + + output = "" + if #lines == 0 then + return label + elseif #lines == 1 then + if label then + output = output .. label .. "; " + end + return output .. lines[1] + else + if label then + output = output .. label .. ";" + end + return output .. "\n " .. stdnse.strjoin("\n ", lines) + end +end + +local function do_ipv6(addr) + local label + local output + + output = {} + + if matches(addr, "0000:0000:0000:0000:0000:0000:XXXX:XXXX") then + -- RFC 4291 2.5.5.1. + local ipv4 = { addr[13], addr[14], addr[15], addr[16] } + return format_output("IPv4-compatible", + { "IPv4 address: " .. format_ipv4(ipv4) }) + elseif matches(addr, "0000:0000:0000:0000:0000:ffff:XXXX:XXXX") then + -- RFC 4291 2.5.5.2. + local ipv4 = { addr[13], addr[14], addr[15], addr[16] } + return format_output("IPv4-mapped", + { "IPv4 address: " .. format_ipv4(ipv4) }) + elseif matches(addr, "2001:0000:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX") then + -- Teredo, RFC 4380. + local server_ipv4 = { addr[5], addr[6], addr[7], addr[8] } + -- RFC 5991 makes the flags mostly meaningless. + local flags = addr[9] * 256 + addr[10] + local obs_port = addr[11] * 256 + addr[12] + local obs_client_ipv4 = { addr[13], addr[14], addr[15], addr[16] } + local port, client_ipv4 + + -- Invert obs_port. + port = bit.bxor(obs_port, 0xffff) + + -- Invert obs_client_ipv4. + client_ipv4 = {} + for _, octet in ipairs(obs_client_ipv4) do + client_ipv4[#client_ipv4 + 1] = bit.bxor(octet, 0xff) + end + + output[#output + 1] = "Server IPv4 address: " .. format_ipv4(server_ipv4) + output[#output + 1] = "Client IPv4 address: " .. format_ipv4(client_ipv4) + output[#output + 1] = "UDP port: " .. tostring(port) + + return format_output("Teredo", output) + elseif matches(addr, "0064:ff9b:XXXX:XXXX:00XX:XXXX:XXXX:XXXX") then + --IPv4-embedded IPv6 addresses. RFC 6052, Section 2 + + --skip addr[9] + if matches(addr,"0064:ff9b:0000:0000:0000:0000:XXXX:XXXX") then + local ipv4 = {addr[13], addr[14], addr[15], addr[16]} + return format_output("IPv4-embedded IPv6 address",{"IPv4 address: "..format_ipv4(ipv4)}) + elseif addr[5] ~= 0x01 then + local ipv4 = {addr[5], addr[6], addr[7], addr[8]} + return format_output("IPv4-embedded IPv6 address",{"IPv4 address: "..format_ipv4(ipv4)}) + elseif addr[6] ~= 0x22 then + local ipv4 = {addr[6], addr[7], addr[8], addr[10]} + return format_output("IPv4-embedded IPv6 address",{"IPv4 address: "..format_ipv4(ipv4)}) + elseif addr[7] ~= 0x03 then + local ipv4 = {addr[7], addr[8], addr[10], addr[11]} + return format_output("IPv4-embedded IPv6 address",{"IPv4 address: "..format_ipv4(ipv4)}) + elseif addr[8] ~= 0x44 then + local ipv4 = {addr[8], addr[10], addr[11], addr[12]} + return format_output("IPv4-embedded IPv6 address",{"IPv4 address: "..format_ipv4(ipv4)}) + elseif addr[10] == 0x00 and addr[11] == 0x00 and addr[12] == 0x00 then + local ipv4 = {addr[13], addr[14], addr[15], addr[16]} + return format_output("IPv4-embedded IPv6 address",{"IPv4 address: "..format_ipv4(ipv4)}) + end + elseif matches(addr, "0000:0000:0000:0000:ffff:0000:XXXX:XXXX") then + -- IPv4-translated IPv6 addresses. RFC 2765, Section 2.1 + return format_output("IPv4-translated IPv6 address", + {"IPv4 address: "..format_ipv4( {addr[13], addr[14], addr[15], addr[16]})}) + elseif matches(addr, "XXXX:XXXX:XXXX:XX00:0000:5efe:XXXX:XXXX") then + -- ISATAP. RFC 5214, Appendix A + -- XXXX:XXXX:XXXX:XX00:0000:5EFE:a.b.c.d + return format_output("ISATAP Modified EUI-64 IPv6 Address", + {"IPv4 address: "..format_ipv4( {addr[13], addr[14], addr[15], addr[16]})}) + end + + -- These following use common handling for the Interface ID part + -- (last 64 bits). + + if matches(addr, "2002:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX") then + -- 6to4, RFC 3056. + local ipv4 = { addr[3], addr[4], addr[5], addr[6] } + local mac = decode_eui_64({ addr[9], addr[10], addr[11], addr[12], + addr[13], addr[14], addr[15], addr[16] }) + + label = "6to4" + output[#output + 1] = "IPv4 address: " .. format_ipv4(ipv4) + end + + local mac = decode_eui_64({ addr[9], addr[10], addr[11], addr[12], + addr[13], addr[14], addr[15], addr[16] }) + if mac then + output[#output + 1] = "MAC address: " .. format_mac(mac) + if not label then + label = "IPv6 EUI-64" + end + end + + return format_output(label, output) +end + +action = function(host) + local addr_s, addr_t + + addr_s = host.bin_ip + addr_t = { string.byte(addr_s, 1, #addr_s) } + + if #addr_t == 4 then + return do_ipv4(addr_t) + elseif #addr_t == 16 then + return do_ipv6(addr_t) + end +end diff --git a/scripts/script.db b/scripts/script.db index a4407b5ab..7a576f9de 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -1,3 +1,4 @@ +Entry { filename = "address-info.nse", categories = { "default", "safe", } } Entry { filename = "afp-brute.nse", categories = { "auth", "intrusive", } } Entry { filename = "afp-ls.nse", categories = { "discovery", "safe", } } Entry { filename = "afp-path-vuln.nse", categories = { "exploit", "intrusive", "vuln", } }