[Fwd: [SCRIPT] DB2 Information gathering script]

[Tom Sellers <nmap () fadedcode net>]

The updated version of this script has been committed to SVN.  Thanks very much
to the folks that tested and sent me feedback, I appreciate it!

In the next week or so I will be releasing a script that talks to the DB2
Administrative service and pulls the config without needing credentials.

The data looks like this:
;DB2 Server Database Access Profile
;Use BINARY file transfer
;Comment lines start with a ";"
;Other lines must be one of the following two types:
;Type A: [section_name]
;Type B: keyword=value

[File_Description]
Application=DB2/LINUX 9.7.0
Platform=18
File_Content=DB2 Server Definitions
File_Type=CommonServer
File_Format_Version=1.0
DB2System=GATEWAY
ServerType=DB2LINUX

[adminst>dasusr1]
NodeType=1
DB2Comm=TCPIP
Authentication=SERVER
HostName=gateway
PortNumber=523
IpAddress=127.0.1.1

[inst>db2inst1]
NodeType=1
DB2Comm=TCPIP
Authentication=SERVER
HostName=gateway
ServiceName=db2c_db2inst1
PortNumber=50000
IpAddress=127.0.1.1
QuietMode=No
TMDatabase=1ST_CONN

[db>db2inst1:TOOLSDB]
DBAlias=TOOLSDB
DBName=TOOLSDB
Drive=/home/db2inst1
Dir_entry_type=INDIRECT
Authentication=NOTSPEC



-------- Original Message - Sun Nov 08 21:29:51 2009 --------
I have written a NSE script that enhances version detection for DB2.  It also
gathers platform (OS) and database instance information.  It functions in a similar
way to the MS SQL script.

The script sends a DB2 EXCSAT (exchange server attributes) command packet and
parses the response.  This is a legitimate DB2 command and, based on my reviews
of logs, causes no problems on the server.  DB2 does log the connection and the
source IP address though.


PORT      STATE SERVICE VERSION
523/tcp   open  ibm-db2 IBM DB2 Database Server 9.07.0
50000/tcp open  ibm-db2 IBM DB2 Database Server 9.07.0 (QDB2/LINUX)
|  db2-info: DB2 Version: 9.07.0
|  Server Platform: QDB2/LINUX
|  Instance Name:   db2inst1
|_ External Name:   db2inst1db2agent000051B3%FED%Y00

In the sample output above the version of the DB2 DAS service on port 523 was
detected using nmap-service-probes.  Historically, unlike the DAS port on 523,
we have been unable to detect the exact version number on the DB2 database
instances themselves.  There may be multiple DB2 database instances and they
typically cluster around port 50000 and 60000.

Port 50000 would normally be detected as service "ibm-db2" with a version string
"IBM DB2 Database Server".  The attached NSE script can now detect the exact
version number and platform as well as the instance name for each of the
databases.

Any testing or feedback with the functionality and structure of the script would
be greatly appreciated!


Here are my current concerns with the script:
1.  Is the default output too verbose?  Should I limit the output to the info
     on the port line by default and add the other lines with -v?

2.  The data from the server is encoded in EBCDIC.  I am decoding this will what
     amounts to a lookup table.  Is there a more appropriate/efficient way to
     handle this?

3.  I have built the EBCDIC table containing the ASCII chars that we should
     encounter in this context.  Should I go ahead and build out the full ASCII
     table? (And wow, I am glad we don't use EBCDIC for much.)

Thanks much,

Tom









_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/