diff options
Diffstat (limited to 'scripts/auth-owners.nse')
-rw-r--r-- | scripts/auth-owners.nse | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/scripts/auth-owners.nse b/scripts/auth-owners.nse new file mode 100644 index 0000000..ab4bd1c --- /dev/null +++ b/scripts/auth-owners.nse @@ -0,0 +1,80 @@ +local nmap = require "nmap" +local string = require "string" + +description = [[ +Attempts to find the owner of an open TCP port by querying an auth +daemon which must also be open on the target system. The auth service, +also known as identd, normally runs on port 113. +]] +--- +--@output +-- 21/tcp open ftp ProFTPD 1.3.1 +-- |_ auth-owners: nobody +-- 22/tcp open ssh OpenSSH 4.3p2 Debian 9etch2 (protocol 2.0) +-- |_ auth-owners: root +-- 25/tcp open smtp Postfix smtpd +-- |_ auth-owners: postfix +-- 80/tcp open http Apache httpd 2.0.61 ((Unix) PHP/4.4.7 ...) +-- |_ auth-owners: dhapache +-- 113/tcp open auth? +-- |_ auth-owners: nobody +-- 587/tcp open submission Postfix smtpd +-- |_ auth-owners: postfix +-- 5666/tcp open unknown +-- |_ auth-owners: root + +-- The protocol is documented in RFC 1413. + +author = "Diman Todorov" + +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" + +categories = {"default", "safe"} + +portrule = function(host, port) + local auth_port = { number=113, protocol="tcp" } + local identd = nmap.get_port_state(host, auth_port) + + return identd ~= nil + and identd.state == "open" + and port.protocol == "tcp" + and port.state == "open" +end + +action = function(host, port) + local owner = "" + + local client_ident = nmap.new_socket() + local client_service = nmap.new_socket() + + local catch = function() + client_ident:close() + client_service:close() + end + + local try = nmap.new_try(catch) + + try(client_ident:connect(host, 113)) + try(client_service:connect(host, port)) + + local localip, localport, remoteip, remoteport = + try(client_service:get_info()) + + local request = port.number .. ", " .. localport .. "\r\n" + + try(client_ident:send(request)) + + owner = try(client_ident:receive_lines(1)) + + if string.match(owner, "ERROR") then + owner = nil + else + owner = string.match(owner, + "%d+%s*,%s*%d+%s*:%s*USERID%s*:%s*[^:]+%s*:[ \t]*([^\r\n]+)\r?\n") + end + + try(client_ident:close()) + try(client_service:close()) + + return owner +end |