Add epmd-info script from Toni Ruottu.

2025-12-08 21:51:28 +00:00 · 2011-04-04 18:28:33 +00:00
parent 8663bf9b17
commit d0ea18119c
3 changed files with 56 additions and 0 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added epmd-info.nse, which gets a list of Erlang node port
+  numbers. [Toni Ruottu]
+
 o [NSE] Added http-affiliate-id.nse, which scrapes a web page for
  affiliate IDs (like Google AdSense and Amazon associates) that can
  be used to link sites to the same owner. [Hani Benhabiles, Daniel
--- a/scripts/epmd-info.nse
+++ b/scripts/epmd-info.nse
@@ -0,0 +1,52 @@
+description = [[
+Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.
+]]
+
+---
+-- @usage
+-- nmap -p 4369 --script epmd-info <target>
+--
+-- @output
+-- PORT     STATE SERVICE
+-- 4369/tcp open  epmd
+-- | epmd-info.nse: 
+-- |   epmd running on port 4369
+-- |   name rabbit at port 36804
+-- |_  name ejabberd at port 46540
+
+author = "Toni Ruottu"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"default", "discovery", "safe"}
+require "shortport"
+require "bin"
+
+portrule = shortport.port_or_service (4369, "epmd")
+
+local NAMESREQ = 110
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+	local status, err = socket:connect(host.ip, port.number)
+	if not status then
+		return {}
+	end
+	local payload = bin.pack("C", NAMESREQ)
+	local probe = bin.pack(">SA", #payload, payload)
+	socket:send(probe)
+	local status = true
+	local data = ""
+	local tmp = ""
+	while status do
+		data = data .. tmp
+		status, tmp = socket:receive()
+	end
+	pos, realport = bin.unpack(">I", data)
+	nodestring = string.sub(data, pos, -2)
+	nodes = stdnse.strsplit("\n", nodestring)
+	local response = {}
+	table.insert(response, 'epmd running on port ' .. realport)
+	for _, node in ipairs(nodes) do
+		table.insert(response, node)
+	end
+	return stdnse.format_output(true, response)
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -39,6 +39,7 @@ Entry { filename = "domino-enum-users.nse", categories = { "auth", "intrusive",
 Entry { filename = "dpap-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "drda-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "drda-info.nse", categories = { "discovery", "safe", "version", } }
+Entry { filename = "epmd-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "finger.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "firewalk.nse", categories = { "discovery", "safe", } }
 Entry { filename = "ftp-anon.nse", categories = { "auth", "default", "safe", } }