From 0d47952611198ef6b1163f366dc03922d20b1475 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 17 Apr 2024 09:42:04 +0200
Subject: Adding upstream version 7.94+git20230807.3be01efb1+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 scripts/dicom-ping.nse | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 scripts/dicom-ping.nse

(limited to 'scripts/dicom-ping.nse')

diff --git a/scripts/dicom-ping.nse b/scripts/dicom-ping.nse
new file mode 100644
index 0000000..abd5fe3
--- /dev/null
+++ b/scripts/dicom-ping.nse
@@ -0,0 +1,70 @@
+description = [[
+Attempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request.
+ It also detects if the server allows any called Application Entity Title or not.
+
+The script responds with the message "Called AET check enabled" when the association request
+ is rejected due configuration. This value can be bruteforced.
+
+C-ECHO requests are commonly known as DICOM ping as they are used to test connectivity.
+Normally, a 'DICOM ping' is formed as follows:
+* Client -> A-ASSOCIATE request -> Server
+* Server -> A-ASSOCIATE ACCEPT/REJECT -> Client
+* Client -> C-ECHO request -> Server
+* Server -> C-ECHO response -> Client
+* Client -> A-RELEASE request -> Server
+* Server -> A-RELEASE response -> Client
+
+For this script we only send the A-ASSOCIATE request and look for the success code
+ in the response as it seems to be a reliable way of detecting DICOM servers.
+]]
+
+---
+-- @usage nmap -p4242 --script dicom-ping <target>
+-- @usage nmap -sV --script dicom-ping <target>
+-- 
+-- @output
+-- PORT     STATE SERVICE REASON
+-- 4242/tcp open  dicom   syn-ack
+-- | dicom-ping: 
+-- |   dicom: DICOM Service Provider discovered!
+-- |_  config: Called AET check enabled
+--
+-- @xmloutput
+-- <script id="dicom-ping" output="&#xa;  dicom: DICOM Service Provider discovered!&#xa;
+--   config: Called AET check enabled"><elem key="dicom">DICOM Service Provider discovered!</elem>
+-- <elem key="config">Called AET check enabled</elem>
+-- </script>
+---
+
+author = "Paulino Calderon <calderon()calderonpale.com>"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"discovery", "default", "safe", "auth"}
+
+local shortport = require "shortport"
+local dicom = require "dicom"
+local stdnse = require "stdnse"
+local nmap = require "nmap"
+
+portrule = shortport.port_or_service({104, 2345, 2761, 2762, 4242, 11112}, "dicom", "tcp", "open")
+
+action = function(host, port)
+  local output = stdnse.output_table()
+  local dcm_conn_status, err = dicom.associate(host, port)
+  if dcm_conn_status == false then
+    stdnse.debug1("Association failed:%s", err)
+    if err == "ASSOCIATE REJECT received" then
+      port.version.name = "dicom"
+      nmap.set_port_version(host, port)
+  
+      output.dicom = "DICOM Service Provider discovered!"
+      output.config = "Called AET check enabled"
+    end
+    return output
+  end
+  port.version.name = "dicom"
+  nmap.set_port_version(host, port)
+  
+  output.dicom = "DICOM Service Provider discovered!"
+  output.config = "Any AET is accepted (Insecure)"
+  return output
+end
-- 
cgit v1.2.3