mailing list archives
Re: Sending HEX to a socket in a NSE script
From: Tom Sellers <nmap () fadedcode net>
Date: Tue, 10 Jun 2008 18:46:19 -0500
Eddie Bell wrote:
Lua doesn't natively support hex strings but you could send it in decimal form
FF FF FF would be '\255\255\255'
2008/6/6 Tom Sellers <nmap () fadedcode net>:
I am working on writing two NSE scripts to detect the versions
of DB2 and Oracle. As I cannot seem to find decent documentation
for either I have been working with packet captures. While I am
familiar with send hex within normal nmap probe, I am not so sure
when it comes to lua.
Does anyone have any pointers on this? I am not looking for anything
detailed, just one or two lines sending something as simple as FF FF FF.
Thanks much for the responses Kris and Eddie.
As it turns out I was sending the data correctly, I just needed to
handle the response in a different way. The response string was
being truncated when printed via stdnse.print_debug and it seems
that tossing certain values into variables after processing them
with string.char does not work. 0x04 (End of Transmission) is one
of these and just happens to lead off the data portion of some DB2
Fortunately I woke up and checked the host responses using WireShark
(which I had be using the whole time to watch traffic from different
utilities) and found that the data was actually making it back to
my scanning box.
Couple of things..
I was able to take the hex as it was found in the packets and
send it by using the following syntax:
local strPayload = string.char(0x00, 0x53, 0x55)
I had seen this in netbios-smb-os-discovery.nse but figured I was
doing something wrong.
In Wireshark if you right click on a packet, choose follow a stream
and select the C Arrays view the resulting data is perfectly formatted
for shoving into a variable via string.char.
I expect to have a working nmap-services-probes entry for DB2 within
a day or so. Right now it works against DB2 7 and 8, I am working on
getting it to work against 5 and 9.
I am at pretty much the same place with a NSE script that determines
the version and dumps a list of information including database names
and local file paths. I intend to try to use the nmap.verbosity to
limit the output.
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org