Nmap Development mailing list archives

Re: Sending HEX to a socket in a NSE script

From: Tom Sellers <nmap () fadedcode net>
Date: Tue, 10 Jun 2008 18:46:19 -0500

Eddie Bell wrote:

Lua doesn't natively support hex strings but you could send it in decimal form

FF FF FF would be '\255\255\255'

- eddie

2008/6/6 Tom Sellers <nmap () fadedcode net>:

I am working on writing two NSE scripts to detect the versions
of DB2 and Oracle.  As I cannot seem to find decent documentation
for either I have been working with packet captures.  While I am
familiar with send hex within normal nmap probe, I am not so sure
when it comes to lua.

Does anyone have any pointers on this?  I am not looking for anything
detailed, just one or two lines sending something as simple as FF FF FF.


Thanks much,

Tom


Thanks much for the responses Kris and Eddie.
As it turns out I was sending the data correctly, I just needed to
handle the response in a different way.  The response string was
being truncated when printed via stdnse.print_debug and it seems
that tossing certain values into variables after processing them
with string.char does not work.  0x04 (End of Transmission) is one
of these and just happens to lead off the data portion of some DB2
responses.

Fortunately I woke up and checked the host responses using WireShark
(which I had be using the whole time to watch traffic from different
utilities) and found that the data was actually making it back to
my scanning box.

Couple of things..

***

I was able to take the hex as it was found in the packets and
send it by using the following syntax:

local strPayload = string.char(0x00, 0x53, 0x55)
socket:send (strPayload)

I had seen this in netbios-smb-os-discovery.nse but figured I was
doing something wrong.

***

In Wireshark if you right click on a packet, choose follow a stream
and select the C Arrays view the resulting data is perfectly formatted
for shoving into a variable via string.char.

***

I expect to have a working nmap-services-probes entry for DB2 within
a day or so.  Right now it works against DB2 7 and 8, I am working on
getting it to work against 5 and 9.

I am at pretty much the same place with a NSE script that determines
the version and dumps a list of information including database names
and local file paths.  I intend to try to use the nmap.verbosity to
limit the output.

Tom




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Terminating active scan Prototypes Jurand Nogiec (Jun 05)
- Re: Terminating active scan Prototypes jah (Jun 06)
  - Re: Terminating active scan Prototypes David Fifield (Jun 08)
- Sending HEX to a socket in a NSE script Tom Sellers (Jun 06)
  - Re: Sending HEX to a socket in a NSE script Kris Katterjohn (Jun 06)
  - Re: Sending HEX to a socket in a NSE script Eddie Bell (Jun 06)
    - Re: Sending HEX to a socket in a NSE script Tom Sellers (Jun 10)