1 files changed, 69 insertions, 0 deletions

diff --git a/scripts/epmd-info.nse b/scripts/epmd-info.nse
new file mode 100644
index 0000000..b43cb3f
--- /dev/null
+++ b/scripts/epmd-info.nse
@@ -0,0 +1,69 @@
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+
+description = [[
+Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers.
+]]
+
+---
+-- @usage
+-- nmap -p 4369 --script epmd-info <target>
+--
+-- @output
+-- PORT     STATE SERVICE
+-- 4369/tcp open  epmd
+-- | epmd-info.nse:
+-- |   epmd_port: 4369
+-- |   nodes:
+-- |     rabbit: 36804
+-- |_    ejabberd: 46540
+-- @xmloutput
+-- <elem key="epmd_port">4369</elem>
+-- <table key="nodes">
+--   <elem key="rabbit">36804</elem>
+--   <elem key="ejabberd">46540</elem>
+-- </table>
+
+author = "Toni Ruottu"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"default", "discovery", "safe"}
+
+portrule = shortport.port_or_service (4369, "epmd")
+
+action = function(host, port)
+  local socket = nmap.new_socket()
+  socket:set_timeout(stdnse.get_timeout(host))
+  local try = nmap.new_try(function () socket:close() end)
+  try(socket:connect(host, port))
+
+  try(socket:send("\x00\x01n")) -- NAMESREQ = 110
+
+  local getline = stdnse.make_buffer(socket, "\n")
+
+  local data, err = getline()
+  if data == nil then
+    stdnse.debug2("Error on receive: %s", err)
+    socket:close()
+    return nil
+  end
+
+  local realport, pos = string.unpack(">I4", data)
+  data = string.sub(data, pos)
+
+  local nodes = stdnse.output_table()
+  local name, port
+  while data and data ~= "" do
+    name, port = data:match("^name (.*) at port (%d+)")
+    if name then
+      nodes[name] = port
+    end
+    data = getline()
+  end
+
+  local response = stdnse.output_table()
+  response.epmd_port = realport
+  response.nodes = nodes
+  return response
+end