summaryrefslogtreecommitdiffstats
path: root/scripts/http-hp-ilo-info.nse
blob: 1113bc15a8c712348a1be30be0c2c8491904ef14 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
description = [[
Attempts to extract information from HP iLO boards including versions and addresses.

HP iLO boards have an unauthenticated info disclosure at <ip>/xmldata?item=all.
It lists board informations such as server model, firmware version,
MAC addresses, IP addresses, etc. This script uses the slaxml library
to parse the iLO xml file and display the info.
]]

---
--@usage nmap --script hp-ilo-info -p 80 <target>
--
--@usage nmap --script hp-ilo-info -sV <target>
--
--@output
--PORT   STATE SERVICE
--80/tcp open  http
--| ilo-info:
--|   ServerType: ProLiant MicroServer Gen8
--|   ProductID: XXXXXX-XXX
--|   UUID: XXXXXXXXXXXXXXXX
--|   cUUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
--|   ILOType: Integrated Lights-Out 4 (iLO 4)
--|   ILOFirmware: X.XX
--|   SerialNo: ILOXXXXXXXXXX
--|   NICs:
--|     NIC 1:
--|       Description: iLO 4
--|       MacAddress: 12:34:56:78:9a:bc
--|       IPAddress: 10.10.10.10
--|       Status: OK
--|     NIC 2:
--|       Description: iLo 4
--|       MacAddress: 11:22:33:44:55:66
--|       IPAddress: Unknown
--|_      Status: Disabled
--

author = "Rajeev R Menon"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe","discovery"}

local http = require "http"
local slaxml = require "slaxml"
local stdnse = require "stdnse"
local shortport = require "shortport"

portrule = shortport.http

function getTag(table,tag)
  for _,n in ipairs(table.kids) do
    if n.type == "element" and n.name == tag then
      return n
    elseif n.type == "element" then
      local ret =  getTag(n,tag)
      if ret ~= nil then return ret end
    end
  end
  return nil
end

function parseXML(dom)
  local response = stdnse.output_table()
  local info = stdnse.output_table()
  info['ServerType'] = getTag(dom,"SPN")
  info['ProductID'] = getTag(dom,"PRODUCTID")
  info['UUID'] = getTag(dom,"UUID")
  info['cUUID'] = getTag(dom,"cUUID")
  info['ILOType'] = getTag(dom,"PN")
  info['ILOFirmware'] = getTag(dom,"FWRI")
  info['SerialNo'] = getTag(dom,"SN")

  for key,_ in pairs(info) do
    if info[key] ~= nil then
      response[tostring(key)] = info[key].kids[1].value
    end
  end

  response.NICs = stdnse.output_table()
  local nicdom = getTag(dom,"NICS")
  if nicdom ~= nil then
  local count = 1
  for _,n in ipairs(nicdom.kids) do
    local nic = stdnse.output_table()
    info = stdnse.output_table()
    for k,m in ipairs(n.kids) do
      if #m.kids >= 1 and m.kids[1].type == "text" then
        if m.name == "DESCRIPTION" then
          info["Description"] = m.kids[1].value
        elseif m.name == "MACADDR" then
          info["MacAddress"] = m.kids[1].value
        elseif m.name == "IPADDR" then
          info["IPAddress"] = m.kids[1].value
        elseif m.name == "STATUS" then
          info["Status"] = m.kids[1].value
        end
      end
    end
    for key,_ in pairs(info) do
      nic[tostring(key)] = info[key]
    end
    response.NICs["NIC "..tostring(count)] = nic
    count = count + 1
    end
  end
  return response
end

action = function(host,port)
  local response = http.get(host,port,"/xmldata?item=all")
  if response["status"] ~= 200
    or not response.body
    or not response.body:match('<RIMP>')
    or not response.body:match('iLO')
  then
    return
  end
  local domtable = slaxml.parseDOM(response["body"],{stripWhitespace=true})
  return parseXML(domtable)
end