服务器套接字使用Nmap脚本引擎(NSE)

huangapple go评论89阅读模式
英文:

Server sockets using the Nmap Scripting Engine (NSE)

问题

我正在使用Nmap脚本引擎(NSE)编写脚本,通过使用DCE/RPC端点映射器的查找请求来提取产品名称和文章编号。然而,在测试脚本时,我遇到了一些不寻常的情况。以下是我实验的一部分:

首先,扫描网络的机器(IP:192.168.10.56)发送一个请求,使用随机源端口51336到UDP目标端口34964。第一个扫描的西门子设备(IP:192.168.10.12)如预期地响应,并使用端口34964作为回复的源端口。然而,第二个扫描的设备(IP:192.168.10.21)行为不同。它也回应了请求,但是使用了随机的源端口,此时是49344。由于这个意外的新源端口,NMAP接收到了来自IP 192.168.10.12的响应,但没有来自IP 192.168.10.21的响应。是否有一种方法可以使用NSE打开一个套接字以接受特定端口上的所有传入消息?类似于接受所有传入请求的“服务器端口”?目前我正在使用函数*socket:connect(ip, 34964, "udp")*指定扫描主机上的端口,导致了这个问题。以下是我正在使用的脚本的一部分:

send_udp_payload = function(ip, timeout, payload)
    local socket, try, catch

    -- create a new udp socket
    local socket = nmap.new_socket("udp")

    -- set timeout
    socket:set_timeout(tonumber(timeout))

    catch = function()
        socket:close()
    end

    -- create new try
    try = nmap.new_try(catch)

    -- connect to port on host
    try(socket:connect(ip, 34964, "udp"))

    -- send lookup packet with PNIO Interface UUID
    try(socket:send(payload))

    -- receive response
    local rcvstatus, response = socket:receive()

    -- close socket
    socket:close()

    if rcvstatus then
        return response
    else
        return nil
    end
end

<details>
<summary>英文:</summary>

I am writing a script using the Nmap Scripting Engine (NSE) to extract the product name and the article number through a Lookup Request using DCE/RPC Endpoint Mapper. However, while testing the script, I encountered something unusual. Here is a snippet from my experiments:    

[![Wireshark][1]][1]


First, the machine scanning the network (IP: 192.168.10.56) sends a request with a random source port 51336 to the **UDP** destination port 34964. The first scanned Siemens device (IP: 192.168.10.12) responds as expected, using port 34964 as source port for the reply. However, the second scanned device (IP: 192.168.10.21) behaves differently. It also replies to the request but uses a random source port for the reply, in this case, 49344. NMAP receives the response from IP 192.168.10.12 but not from IP 192.168.10.21 due to this unexpected new source port. Is there a way to open a socket using NSE to accept all incoming messages on a specific port? Something like a &quot;server port&quot; accepting all incoming requests? Right now I am using the funtion *socket:connect(ip, 34964, &quot;udp&quot;)* specifing the port on the scanned hosts causing this problem. Here a snippet from the script I am using:  


send_udp_payload = function(ip, timeout, payload)
local socket, try, catch

-- create a new udp socket
local socket = nmap.new_socket(&quot;udp&quot;)

-- set timeout
socket:set_timeout(tonumber(timeout))

catch = function()
	socket:close()
end

-- create new try
try = nmap.new_try(catch)

-- connect to port on host
try(socket:connect(ip, 34964, &quot;udp&quot;))

-- send lookup packet with PNIO Interface UUID
try(socket:send(payload))

-- receive response
local rcvstatus, response = socket:receive()

-- close socket
socket:close()

if rcvstatus then
    return response
else
    return nil
end

end

  [1]: https://i.stack.imgur.com/eKvwh.png


</details>


# 答案1
**得分**: 0

Using pcap:receive() could solve my problem:

```lua
lookup_request = function(host, port, src_port_number, payload, timeout)
  local socket, try, catch
  local socket = nmap.new_socket("udp")
  local pcap = nmap.new_socket()
  socket:set_timeout(tonumber(timeout))
  catch = function()
  	socket:close()
  end
  try = nmap.new_try(catch)
  socket:bind(nil, src_port_number)
  try(socket:connect(host.ip, port["number"], "udp"))
  pcap:pcap_open(host.interface, 1500, false, "udp dst port " .. src_port_number .. " and src host " .. host.ip)
  pcap:set_timeout(host.times.timeout * 1000)
  try(socket:send(payload))
  local status, len, _, layer3 = pcap:pcap_receive()
  pcap:close()
  socket:close()

  -- parse response
  -- ...
end

(Note: The code section has been translated as requested. If you have any specific questions or need further assistance, please let me know.)

英文:

Using pcap:receive() could solve my problem:

lookup_request = function(host, port, src_port_number, payload, timeout)
  local socket, try, catch
  local socket = nmap.new_socket(&quot;udp&quot;)
  local pcap = nmap.new_socket()
  socket:set_timeout(tonumber(timeout))
  catch = function()
  	socket:close()
  end
  try = nmap.new_try(catch)
  socket:bind(nil, src_port_number)
  try(socket:connect(host.ip, port[&quot;number&quot;], &quot;udp&quot;))
  pcap:pcap_open(host.interface, 1500, false, &quot;udp dst port &quot; .. src_port_number .. &quot; and src host &quot; .. host.ip)
  pcap:set_timeout(host.times.timeout * 1000)
  try(socket:send(payload))
  local status, len, _, layer3 = pcap:pcap_receive()
  pcap:close()
  socket:close()

  -- parse response
  -- ...
end

huangapple
  • 本文由 发表于 2023年6月21日 22:46:38
  • 转载请务必保留本文链接:https://go.coder-hub.com/76524568.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定