Adds NSE script to extract info from HP iLO servers. Closes #1082 and #1016

CHANGELOG

@@ -1,5 +1,8 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE][GH#1016][GH#1082] New script http-hp-ilo-info to extract information
+  from HP Integrated Lights-Out (iLO) servers. [rajeevrmenon97]
+
 o [NSE][GH#1534] Removed OSVDB references from scripts and replaced them with
   BID references where possible. [nnposter]
 

scripts/http-hp-ilo-info.nse

@@ -0,0 +1,119 @@
+description = [[
+Attempts to extract information from HP iLO boards including versions and addresses.
+
+HP iLO boards have an unauthenticated info disclosure at <ip>/xmldata?item=all.
+It lists board informations such as server model, firmware version,
+MAC addresses, IP addresses, etc. This script uses the slaxml library
+to parse the iLO xml file and display the info.
+]]
+
+---
+--@usage nmap --script hp-ilo-info -p 80 <target>
+--
+--@usage nmap --script hp-ilo-info -sV <target>
+--
+--@output
+--PORT   STATE SERVICE
+--80/tcp open  http
+--| ilo-info:
+--|   ServerType: ProLiant MicroServer Gen8
+--|   ProductID: XXXXXX-XXX
+--|   UUID: XXXXXXXXXXXXXXXX
+--|   cUUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
+--|   ILOType: Integrated Lights-Out 4 (iLO 4)
+--|   ILOFirmware: X.XX
+--|   SerialNo: ILOXXXXXXXXXX
+--|   NICs:
+--|     NIC 1:
+--|       Description: iLO 4
+--|       MacAddress: 12:34:56:78:9a:bc
+--|       IPAddress: 10.10.10.10
+--|       Status: OK
+--|     NIC 2:
+--|       Description: iLo 4
+--|       MacAddress: 11:22:33:44:55:66
+--|       IPAddress: Unknown
+--|_      Status: Disabled
+--
+
+author = "Rajeev R Menon"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"safe","discovery"}
+
+local http = require "http"
+local slaxml = require "slaxml"
+local stdnse = require "stdnse"
+local shortport = require "shortport"
+
+portrule = shortport.http
+
+function getTag(table,tag)
+  for _,n in ipairs(table.kids) do
+    if n.type == "element" and n.name == tag then
+      return n
+    elseif n.type == "element" then
+      local ret =  getTag(n,tag)
+      if ret ~= nil then return ret end
+    end
+  end
+  return nil
+end
+
+function parseXML(dom)
+  local response = stdnse.output_table()
+  local info = stdnse.output_table()
+  info['ServerType'] = getTag(dom,"SPN")
+  info['ProductID'] = getTag(dom,"PRODUCTID")
+  info['UUID'] = getTag(dom,"UUID")
+  info['cUUID'] = getTag(dom,"cUUID")
+  info['ILOType'] = getTag(dom,"PN")
+  info['ILOFirmware'] = getTag(dom,"FWRI")
+  info['SerialNo'] = getTag(dom,"SN")
+
+  for key,_ in pairs(info) do
+    if info[key] ~= nil then
+      response[tostring(key)] = info[key].kids[1].value
+    end
+  end
+
+  response.NICs = stdnse.output_table()
+  local nicdom = getTag(dom,"NICS")
+  if nicdom ~= nil then
+  local count = 1
+  for _,n in ipairs(nicdom.kids) do
+    local nic = stdnse.output_table()
+    info = stdnse.output_table()
+    for k,m in ipairs(n.kids) do
+      if #m.kids >= 1 and m.kids[1].type == "text" then
+        if m.name == "DESCRIPTION" then
+          info["Description"] = m.kids[1].value
+        elseif m.name == "MACADDR" then
+          info["MacAddress"] = m.kids[1].value
+        elseif m.name == "IPADDR" then
+          info["IPAddress"] = m.kids[1].value
+        elseif m.name == "STATUS" then
+          info["Status"] = m.kids[1].value
+        end
+      end
+    end
+    for key,_ in pairs(info) do
+      nic[tostring(key)] = info[key]
+    end
+    response.NICs["NIC "..tostring(count)] = nic
+    count = count + 1
+    end
+  end
+  return response
+end
+
+action = function(host,port)
+	local response = http.get(host,port,"/xmldata?item=all")
+	if response["status"] ~= 200
+		or string.match(response["body"], '<RIMP>') == nil
+		or string.match(response["body"], 'iLO') == nil
+	then
+		return
+	end
+	local domtable = slaxml.parseDOM(response["body"],{stripWhitespace=true})
+	return parseXML(domtable)
+end

scripts/script.db

@@ -198,6 +198,7 @@ Entry { filename = "http-gitweb-projects-enum.nse", categories = { "discovery",
 Entry { filename = "http-google-malware.nse", categories = { "discovery", "external", "malware", "safe", } }
 Entry { filename = "http-grep.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-headers.nse", categories = { "discovery", "safe", } }
+Entry { filename = "http-hp-ilo-info.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-huawei-hg5xx-vuln.nse", categories = { "exploit", "vuln", } }
 Entry { filename = "http-icloud-findmyiphone.nse", categories = { "discovery", "external", "safe", } }
 Entry { filename = "http-icloud-sendmsg.nse", categories = { "discovery", "external", "safe", } }