summaryrefslogtreecommitdiffstats
path: root/scripts/auth-owners.nse
blob: ab4bd1c9691575228b53651a2510a4df77a08021 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
local nmap = require "nmap"
local string = require "string"

description = [[
Attempts to find the owner of an open TCP port by querying an auth
daemon which must also be open on the target system. The auth service,
also known as identd, normally runs on port 113.
]]
---
--@output
-- 21/tcp   open     ftp       ProFTPD 1.3.1
-- |_ auth-owners: nobody
-- 22/tcp   open     ssh       OpenSSH 4.3p2 Debian 9etch2 (protocol 2.0)
-- |_ auth-owners: root
-- 25/tcp   open     smtp      Postfix smtpd
-- |_ auth-owners: postfix
-- 80/tcp   open     http      Apache httpd 2.0.61 ((Unix) PHP/4.4.7 ...)
-- |_ auth-owners: dhapache
-- 113/tcp  open     auth?
-- |_ auth-owners: nobody
-- 587/tcp  open     submission Postfix smtpd
-- |_ auth-owners: postfix
-- 5666/tcp open     unknown
-- |_ auth-owners: root

-- The protocol is documented in RFC 1413.

author = "Diman Todorov"

license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

categories = {"default", "safe"}

portrule = function(host, port)
  local auth_port = { number=113, protocol="tcp" }
  local identd = nmap.get_port_state(host, auth_port)

  return identd ~= nil
    and identd.state == "open"
    and port.protocol == "tcp"
    and port.state == "open"
end

action = function(host, port)
  local owner = ""

  local client_ident = nmap.new_socket()
  local client_service = nmap.new_socket()

  local catch = function()
    client_ident:close()
    client_service:close()
  end

  local try = nmap.new_try(catch)

  try(client_ident:connect(host, 113))
  try(client_service:connect(host, port))

  local localip, localport, remoteip, remoteport =
    try(client_service:get_info())

  local request = port.number .. ", " .. localport .. "\r\n"

  try(client_ident:send(request))

  owner = try(client_ident:receive_lines(1))

  if string.match(owner, "ERROR") then
    owner = nil
  else
    owner = string.match(owner,
      "%d+%s*,%s*%d+%s*:%s*USERID%s*:%s*[^:]+%s*:[ \t]*([^\r\n]+)\r?\n")
  end

  try(client_ident:close())
  try(client_service:close())

  return owner
end