1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
local nmap = require "nmap"
local stdnse = require "stdnse"
local string = require "string"
local stringaux = require "stringaux"
local target = require "target"
local os = require "os"
local table = require "table"
description = [[
Discovers HID devices on a LAN by sending a discoveryd network broadcast probe.
For more information about HID discoveryd, see:
* http://nosedookie.blogspot.com/2011/07/identifying-and-querying-hid-vertx.html
* https://github.com/coldfusion39/VertXploit
]]
---
-- @usage nmap --script broadcast-hid-discoveryd
-- @usage nmap --script broadcast-hid-discoveryd --script-args timeout=15s
--
-- @output
-- Pre-scan script results:
-- | broadcast-hid-discoveryd:
-- | MAC: 00:06:8E:00:00:00; Name: NoEntry; IP Address: 10.123.123.1; Model: EH400; Version: 2.3.1.603 (04/23/2012)
-- | MAC: 00:06:8E:FF:FF:FF; Name: NoExit; IP Address: 10.123.123.123; Model: EH400; Version: 2.3.1.603 (04/23/2012)
-- |_ Use --script-args=newtargets to add the results as targets
--
-- @args broadcast-hid-discoveryd.address
-- address to which the probe packet is sent. (default: 255.255.255.255)
-- @args broadcast-hid-discoveryd.timeout
-- socket timeout (default: 5s)
---
author = "Brendan Coles"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "broadcast", "safe"}
prerule = function() return ( nmap.address_family() == "inet") end
local arg_address = stdnse.get_script_args(SCRIPT_NAME .. ".address")
local arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout"))
action = function()
local host = { ip = arg_address or "255.255.255.255" }
local port = { number = 4070, protocol = "udp" }
local socket = nmap.new_socket("udp")
socket:set_timeout(500)
-- send two packets, just in case
for i=1,2 do
local status = socket:sendto(host, port, "discover;013;")
if ( not(status) ) then
return stdnse.format_output(false, "Failed to send broadcast probe")
end
end
local timeout = tonumber(arg_timeout) or ( 20 / ( nmap.timing_level() + 1 ) )
local results = {}
local stime = os.time()
-- listen until timeout
repeat
local status, data = socket:receive()
if ( status ) then
local hid_pkt = data:match("^discovered;.*$")
if ( hid_pkt ) then
local status, _, _, rhost, _ = socket:get_info()
local hid_data = stringaux.strsplit(";", hid_pkt)
if #hid_data == 10 and hid_data[1] == 'discovered' and tonumber(hid_data[2]) == string.len(hid_pkt) then
stdnse.print_debug(2, "Received HID discoveryd response from %s (%s bytes)", rhost, string.len(hid_pkt))
local str = ("MAC: %s; Name: %s; IP Address: %s; Model: %s; Version: %s (%s)"):format(
hid_data[3], hid_data[4], hid_data[5], hid_data[7], hid_data[8], hid_data[9])
table.insert( results, str )
if target.ALLOW_NEW_TARGETS then
target.add(hid_data[5])
end
end
end
end
until( os.time() - stime > timeout )
socket:close()
local output = stdnse.output_table()
if #results > 0 then
-- remove duplicates
local hash = {}
for _,v in ipairs(results) do
if (not hash[v]) then
table.insert( output, v )
hash[v] = true
end
end
if not target.ALLOW_NEW_TARGETS then
output[#output + 1] = "Use --script-args=newtargets to add the results as targets"
end
return output
end
end
|
