diff options
Diffstat (limited to 'scripts/dicom-ping.nse')
| -rw-r--r-- | scripts/dicom-ping.nse | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/scripts/dicom-ping.nse b/scripts/dicom-ping.nse new file mode 100644 index 0000000..abd5fe3 --- /dev/null +++ b/scripts/dicom-ping.nse @@ -0,0 +1,70 @@ +description = [[ +Attempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request. + It also detects if the server allows any called Application Entity Title or not. + +The script responds with the message "Called AET check enabled" when the association request + is rejected due configuration. This value can be bruteforced. + +C-ECHO requests are commonly known as DICOM ping as they are used to test connectivity. +Normally, a 'DICOM ping' is formed as follows: +* Client -> A-ASSOCIATE request -> Server +* Server -> A-ASSOCIATE ACCEPT/REJECT -> Client +* Client -> C-ECHO request -> Server +* Server -> C-ECHO response -> Client +* Client -> A-RELEASE request -> Server +* Server -> A-RELEASE response -> Client + +For this script we only send the A-ASSOCIATE request and look for the success code + in the response as it seems to be a reliable way of detecting DICOM servers. +]] + +--- +-- @usage nmap -p4242 --script dicom-ping <target> +-- @usage nmap -sV --script dicom-ping <target> +-- +-- @output +-- PORT STATE SERVICE REASON +-- 4242/tcp open dicom syn-ack +-- | dicom-ping: +-- | dicom: DICOM Service Provider discovered! +-- |_ config: Called AET check enabled +-- +-- @xmloutput +-- <script id="dicom-ping" output="
 dicom: DICOM Service Provider discovered!
 +-- config: Called AET check enabled"><elem key="dicom">DICOM Service Provider discovered!</elem> +-- <elem key="config">Called AET check enabled</elem> +-- </script> +--- + +author = "Paulino Calderon <calderon()calderonpale.com>" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"discovery", "default", "safe", "auth"} + +local shortport = require "shortport" +local dicom = require "dicom" +local stdnse = require "stdnse" +local nmap = require "nmap" + +portrule = shortport.port_or_service({104, 2345, 2761, 2762, 4242, 11112}, "dicom", "tcp", "open") + +action = function(host, port) + local output = stdnse.output_table() + local dcm_conn_status, err = dicom.associate(host, port) + if dcm_conn_status == false then + stdnse.debug1("Association failed:%s", err) + if err == "ASSOCIATE REJECT received" then + port.version.name = "dicom" + nmap.set_port_version(host, port) + + output.dicom = "DICOM Service Provider discovered!" + output.config = "Called AET check enabled" + end + return output + end + port.version.name = "dicom" + nmap.set_port_version(host, port) + + output.dicom = "DICOM Service Provider discovered!" + output.config = "Any AET is accepted (Insecure)" + return output +end |