scripts/broadcast-listener.nse


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297

local _G = require "_G"
local coroutine = require "coroutine"
local nmap = require "nmap"
local packet = require "packet"
local stdnse = require "stdnse"
local table = require "table"

description = [[
Sniffs the network for incoming broadcast communication and
attempts to decode the received packets. It supports protocols like CDP, HSRP,
Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more
information.

The script attempts to sniff all ethernet based interfaces with an IPv4 address
unless a specific interface was given using the -e argument to Nmap.
]]

---
-- @usage
-- nmap --script broadcast-listener
-- nmap --script broadcast-listener -e eth0
--
-- @output
-- | broadcast-listener:
-- |   udp
-- |       Netbios
-- |         ip           query
-- |         192.168.0.60 \x01\x02__MSBROWSE__\x02\x01
-- |       DHCP
-- |         srv ip       cli ip       mask             gw           dns
-- |         192.168.0.1  192.168.0.5  255.255.255.0    192.168.0.1  192.168.0.18, 192.168.0.19
-- |       DropBox
-- |         displayname  ip            port   version  host_int  namespaces
-- |         39000860     192.168.0.107 17500  1.8      39000860  28814673, 29981099
-- |       HSRP
-- |         ip             version  op     state   prio  group  secret  virtual ip
-- |         192.168.0.254  0        Hello  Active  110   1      cisco   192.168.0.253
-- |   ether
-- |       CDP
-- |         ip  id      platform       version
-- |         ?   Router  cisco 7206VXR  12.3(23)
-- |       ARP Request
-- |         sender ip     sender mac         target ip
-- |         192.168.0.101 00:04:30:26:DA:C8  192.168.0.60
-- |_        192.168.0.1   90:24:1D:C8:B9:AE  192.168.0.60
--
-- @args broadcast-listener.timeout specifies the amount of seconds to sniff
--       the network interface. (default 30s)
--
-- The script attempts to discover all available ipv4 network interfaces,
-- unless the Nmap -e argument has been supplied, and then starts sniffing
-- packets on all of the discovered interfaces. It sets a BPF filter to exclude
-- all packets that have the interface address as source or destination in
-- order to capture broadcast traffic.
--
-- Incoming packets can either be either layer 3 (usually UDP) or layer 2.
-- Depending on the layer the packet is matched against a packet decoder loaded
-- from the external nselib/data/packetdecoder.lua file. A more detailed
-- description on how the decoders work can be found in that file.
-- In short, there are two different types of decoders: udp and ether.
-- The udp decoders get triggered by the destination port number, while the
-- ether decoders are triggered by a pattern match. The port or pattern is used
-- as an index in a table containing functions to process packets and fetch
-- the decoded results.
--


--
-- Version 0.1
-- Created 07/02/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
-- Revised 07/25/2011 - v0.2 -
--                * added more documentation
--                * added getInterfaces code to detect available
--                  interfaces.
--                * corrected bug that would fail to load
--                  decoders if not in a relative directory.


author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"broadcast", "safe"}


prerule = function()
  if not nmap.is_privileged() then
    stdnse.verbose1("not running for lack of privileges.")
    return false
  end
  return true
end

---
-- loads the decoders from file
--
-- @param fname string containing the name of the file
-- @return status true on success false on failure
-- @return decoders table of decoder functions on success
-- @return err string containing the error message on failure
loadDecoders = function(fname)
  -- resolve the full, absolute, path
  local abs_fname = nmap.fetchfile(fname)

  if ( not(abs_fname) ) then
    return false, ("Failed to load decoder definition (%s)"):format(fname)
  end

  local env = setmetatable({Decoders = {}}, {__index = _G});
  local file = loadfile(abs_fname, "t", env)
  if(not(file)) then
    stdnse.debug1("Couldn't load decoder file: %s", fname)
    return false, "Couldn't load decoder file: " .. fname
  end

  file()

  local d = env.Decoders

  if ( d ) then return true, d end
  return false, "Failed to load decoders"
end

---
-- Starts sniffing the selected interface for packets with a destination that
-- is not explicitly ours (broadcast, multicast etc.)
--
-- @param iface table containing <code>name</code> and <code>address</code>
-- @param Decoders the decoders class loaded externally
-- @param decodertab the "result" table to which all discovered items are
--      reported
sniffInterface = function(iface, Decoders, decodertab)
  local condvar = nmap.condvar(decodertab)
  local sock = nmap.new_socket()
  local timeout = stdnse.parse_timespec(stdnse.get_script_args("broadcast-listener.timeout"))

  -- default to 30 seconds, if nothing else was set
  timeout = (timeout or 30) * 1000

  -- We want all packets that aren't explicitly for us
  sock:pcap_open(iface.name, 1500, true, ("!host %s"):format(iface.address))

  -- Set a short timeout so that we can timeout in time if needed
  sock:set_timeout(100)

  local start_time = nmap.clock_ms()
  while( nmap.clock_ms() - start_time < timeout ) do
    local status, _, _, data = sock:pcap_receive()

    if ( status ) then
      local p = packet.Packet:new( data, #data )

      -- if we have an UDP-based broadcast, we should have a proper packet
      if ( p and p.udp_dport and ( decodertab.udp[p.udp_dport] or Decoders.udp[p.udp_dport] ) ) then
        local uport = p.udp_dport
        if ( not(decodertab.udp[uport]) ) then
          decodertab.udp[uport] = Decoders.udp[uport]:new()
        end
        stdnse.new_thread(decodertab.udp[uport].process, decodertab.udp[uport], data)
        -- The packet was decoded successfully but we don't have a valid decoder
        -- Report this
      elseif ( p and p.udp_dport ) then
        stdnse.debug2("No decoder for dst port %d", p.udp_dport)
        -- we don't have a packet, so this is most likely something layer2 based
        -- in that case, check the ether Decoder table for pattern matches
      else
        -- attempt to find a match for a pattern
        local hex = stdnse.tohex(data)
        local decoded = false
        for match, _ in pairs(Decoders.ether) do
          -- attempts to match the "raw" packet against a filter
          -- supplied in each ethernet packet decoder
          if ( hex:match(match) ) then
            stdnse.debug1("Packet matched '%s'", match)
            if ( not(decodertab.ether[match]) ) then
              decodertab.ether[match] = Decoders.ether[match]:new()
            end
            -- start a new decoding thread. This way, if something gets foobared
            -- the whole script doesn't break, only the packet decoding for that
            -- specific packet.
            stdnse.new_thread( decodertab.ether[match].process, decodertab.ether[match], data )
            decoded = true
          end
        end
        -- no decoder was found for this layer2 packet
        if ( not(decoded) and #data > 10 ) then
          stdnse.debug1("No decoder for packet hex: %s", stdnse.tohex(data:sub(1,10)))
        end
      end
    end
  end
  condvar "signal"
end

---
-- Gets a list of available interfaces based on link and up filters
-- Interfaces are only added if they've got an ipv4 address
--
-- @param link string containing the link type to filter
-- @param up string containing the interface status to filter
-- @return result table containing tables of interfaces
--      each interface table has the following fields:
--      <code>name</code> containing the device name
--      <code>address</code> containing the device address
getInterfaces = function(link, up)
  if( not(nmap.list_interfaces) ) then return end
  local interfaces, err = nmap.list_interfaces()
  local result = {}
  if ( not(err) ) then
    for _, iface in ipairs(interfaces) do
      if ( iface.link == link and
        iface.up == up and
        iface.address ) then

        -- exclude ipv6 addresses for now
        if ( not(iface.address:match(":")) ) then
          table.insert(result, { name = iface.device,
          address = iface.address } )
        end
      end
    end
  end
  return result
end

local function fail (err) return stdnse.format_output(false, err) end

action = function()

  local DECODERFILE = "nselib/data/packetdecoders.lua"
  local iface = nmap.get_interface()
  local interfaces = {}

  -- was an interface supplied using the -e argument?
  if ( iface ) then
    local iinfo, err = nmap.get_interface_info(iface)

    if ( not(iinfo.address) ) then
      return fail("The IP address of the interface could not be determined")
    end

    interfaces = { { name = iface, address = iinfo.address } }
  else
    -- no interface was supplied, attempt autodiscovery
    interfaces = getInterfaces("ethernet", "up")
  end

  -- make sure we have at least one interface to start sniffing
  if ( #interfaces == 0 ) then
    return fail("Could not determine any valid interfaces")
  end

  -- load the decoders from file
  local status, Decoders = loadDecoders(DECODERFILE)
  if ( not(status) ) then return fail(Decoders) end

  -- create a local table to handle instantiated decoders
  local decodertab = { udp = {}, ether = {} }
  local condvar = nmap.condvar(decodertab)
  local threads = {}

  -- start a thread for each interface to sniff
  for _, iface in ipairs(interfaces) do
    local co = stdnse.new_thread(sniffInterface, iface, Decoders, decodertab)
    threads[co] = true
  end

  -- wait for all threads to finish sniffing
  repeat
    for thread in pairs(threads) do
      if coroutine.status(thread) == "dead" then
        threads[thread] = nil
      end
    end
    if ( next(threads) ) then
      condvar "wait"
    end
  until next(threads) == nil

  local out_outer = {}

  -- create the results table
  for proto, _ in pairs(decodertab) do
    local out_inner = {}
    for key, decoder in pairs(decodertab[proto]) do
      table.insert( out_inner, decodertab[proto][key]:getResults() )
    end
    if ( #out_inner > 0 ) then
      table.insert( out_outer, { name = proto, out_inner } )
    end
  end

  table.sort(out_outer, function(a, b) return a.name < b.name end)
  return stdnse.format_output(true, out_outer)

end