1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
description = [[
Attempts to extract information from HP iLO boards including versions and addresses.
HP iLO boards have an unauthenticated info disclosure at <ip>/xmldata?item=all.
It lists board informations such as server model, firmware version,
MAC addresses, IP addresses, etc. This script uses the slaxml library
to parse the iLO xml file and display the info.
]]
---
--@usage nmap --script hp-ilo-info -p 80 <target>
--
--@usage nmap --script hp-ilo-info -sV <target>
--
--@output
--PORT STATE SERVICE
--80/tcp open http
--| ilo-info:
--| ServerType: ProLiant MicroServer Gen8
--| ProductID: XXXXXX-XXX
--| UUID: XXXXXXXXXXXXXXXX
--| cUUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
--| ILOType: Integrated Lights-Out 4 (iLO 4)
--| ILOFirmware: X.XX
--| SerialNo: ILOXXXXXXXXXX
--| NICs:
--| NIC 1:
--| Description: iLO 4
--| MacAddress: 12:34:56:78:9a:bc
--| IPAddress: 10.10.10.10
--| Status: OK
--| NIC 2:
--| Description: iLo 4
--| MacAddress: 11:22:33:44:55:66
--| IPAddress: Unknown
--|_ Status: Disabled
--
author = "Rajeev R Menon"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe","discovery"}
local http = require "http"
local slaxml = require "slaxml"
local stdnse = require "stdnse"
local shortport = require "shortport"
portrule = shortport.http
function getTag(table,tag)
for _,n in ipairs(table.kids) do
if n.type == "element" and n.name == tag then
return n
elseif n.type == "element" then
local ret = getTag(n,tag)
if ret ~= nil then return ret end
end
end
return nil
end
function parseXML(dom)
local response = stdnse.output_table()
local info = stdnse.output_table()
info['ServerType'] = getTag(dom,"SPN")
info['ProductID'] = getTag(dom,"PRODUCTID")
info['UUID'] = getTag(dom,"UUID")
info['cUUID'] = getTag(dom,"cUUID")
info['ILOType'] = getTag(dom,"PN")
info['ILOFirmware'] = getTag(dom,"FWRI")
info['SerialNo'] = getTag(dom,"SN")
for key,_ in pairs(info) do
if info[key] ~= nil then
response[tostring(key)] = info[key].kids[1].value
end
end
response.NICs = stdnse.output_table()
local nicdom = getTag(dom,"NICS")
if nicdom ~= nil then
local count = 1
for _,n in ipairs(nicdom.kids) do
local nic = stdnse.output_table()
info = stdnse.output_table()
for k,m in ipairs(n.kids) do
if #m.kids >= 1 and m.kids[1].type == "text" then
if m.name == "DESCRIPTION" then
info["Description"] = m.kids[1].value
elseif m.name == "MACADDR" then
info["MacAddress"] = m.kids[1].value
elseif m.name == "IPADDR" then
info["IPAddress"] = m.kids[1].value
elseif m.name == "STATUS" then
info["Status"] = m.kids[1].value
end
end
end
for key,_ in pairs(info) do
nic[tostring(key)] = info[key]
end
response.NICs["NIC "..tostring(count)] = nic
count = count + 1
end
end
return response
end
action = function(host,port)
local response = http.get(host,port,"/xmldata?item=all")
if response["status"] ~= 200
or not response.body
or not response.body:match('<RIMP>')
or not response.body:match('iLO')
then
return
end
local domtable = slaxml.parseDOM(response["body"],{stripWhitespace=true})
return parseXML(domtable)
end
|
