From b7b14216e25bcb6fc3fe38bb9f395c340dbceefc Mon Sep 17 00:00:00 2001 From: david Date: Thu, 18 Mar 2010 00:08:30 +0000 Subject: [PATCH] Add jdwp-version.nse from Michael Schierl. --- CHANGELOG | 3 +++ scripts/jdwp-version.nse | 48 ++++++++++++++++++++++++++++++++++++++++ scripts/script.db | 1 + 3 files changed, 52 insertions(+) create mode 100644 scripts/jdwp-version.nse diff --git a/CHANGELOG b/CHANGELOG index 132dc400c..6cd10aa03 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,9 @@ [NOT YET RELEASED] +o [NSE] Added jdwp-version.nse, a script from Michael Schierl that + finds the version of a Java Debug Wire Protocol server. + o Fixed the packaging of x64 versions of WinPcap drivers in the winpcap-nmap installer. 64-bit applications that used WinPcap (like Wireshark) would fail. [Rob Nicholls] diff --git a/scripts/jdwp-version.nse b/scripts/jdwp-version.nse new file mode 100644 index 000000000..7f248cd80 --- /dev/null +++ b/scripts/jdwp-version.nse @@ -0,0 +1,48 @@ +description = [[ +Detects the Java Debug Wire Protocol. This protocol is used by Java programs +to be debugged via the network. It should not be open to the public internet, +as it does not provide any security against malicious attackers who can inject +their own bytecode into the debugged process. + +Documentation for JDWP is available at +http://java.sun.com/javase/6/docs/technotes/guides/jpda/jdwp-spec.html +]] +author = "Michael Schierl " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"version"} + +require "comm" + +portrule = function(host, port) + -- JDWP will close the port if there is no valid handshake within 2 + -- seconds, Service detection's NULL probe detects it as tcpwrapped. + return port.service == "tcpwrapped" + and port.protocol == "tcp" and port.state == "open" +end + +action = function(host, port) + -- make sure we get at least one more packet after the JDWP-Handshake + -- response even if there is some delay; the handshake resonse has 14 + -- bytes, so wait for 18 bytes here. + local status, result = comm.exchange(host, port, "JDWP-Handshake\0\0\0\11\0\0\0\1\0\1\1", {proto="tcp", bytes=18}) + if (not status) then + return + end + -- match jdwp m|JDWP-Handshake| p/$1/ v/$3/ i/$2\n$4/ + local match = {string.match(result, "^JDWP%-Handshake%z%z..%z%z%z\1\128%z%z%z%z..([^%z\n]*)\n([^%z]*)%z%z..%z%z..%z%z..([0-9._]+)%z%z..([^%z]*)")} + if match == nil then + -- if we have one \128 (reply marker), it is at least not echo because the request did not contain \128 + if (string.match(result,"^JDWP%-Handshake%z.*\128") ~= nil) then + port.version.name="jdwp" + port.version.product="unknown" + nmap.set_port_version(host, port, "hardmatched") + end + return + end + port.version.name="jdwp" + port.version.product = match[1] + port.version.version = match[3] + -- port.version.extrainfo = match[2] .. "\n" .. match[4] + nmap.set_port_version(host, port, "hardmatched") + return +end diff --git a/scripts/script.db b/scripts/script.db index dde7fa8e6..b0fa53fd2 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -42,6 +42,7 @@ Entry { filename = "iax2-version.nse", categories = { "version", } } Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", } } Entry { filename = "ipidseq.nse", categories = { "discovery", "safe", } } Entry { filename = "irc-info.nse", categories = { "default", "discovery", "safe", } } +Entry { filename = "jdwp-version.nse", categories = { "version", } } Entry { filename = "ldap-brute.nse", categories = { "auth", "intrusive", } } Entry { filename = "ldap-rootdse.nse", categories = { "discovery", "safe", } } Entry { filename = "ldap-search.nse", categories = { "discovery", "safe", } }