| Server IP : 80.87.202.40 / Your IP : 216.73.216.169 Web Server : Apache System : Linux rospirotorg.ru 5.14.0-539.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 5 22:26:13 UTC 2024 x86_64 User : bitrix ( 600) PHP Version : 8.2.27 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /usr/share/nmap/scripts/ |
Upload File : |
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local ipOps = require "ipOps"
local tableaux = require "tableaux"
description = [[
Extracts information from Ubiquiti networking devices.
This script leverages Ubiquiti's Discovery Service which is enabled by default
on many products. It will attempt to leverage version 1 of the protocol first
and, if that fails, attempt version 2.
]]
author = {"Tom Sellers"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "version", "safe"}
---
-- @usage
-- nmap -sU -p 10001 --script ubiquiti-discovery.nse <target>
--
---
-- @output
-- PORT STATE SERVICE VERSION
-- 10001/udp open ubiquiti-discovery Ubiquiti Discovery Service (v1 protocol, ER-X software ver. v1.10.7)
-- | ubiquiti-discovery:
-- | protocol: v1
-- | uptime_seconds: 113144
-- | uptime: 1 days 07:25:44
-- | hostname: ubnt-router
-- | product: ER-X
-- | firmware: EdgeRouter.ER-e50.v1.10.7.5127989.181001.1227
-- | version: v1.10.7
-- | interface_to_ip:
-- | 80:2a:a8:ae:f1:63:
-- | 192.168.0.1
-- | 172.25.16.1
-- | 80:2a:a8:ae:f1:5e:
-- | 55.55.55.10
-- | 55.55.55.11
-- | 55.55.55.12
-- | mac_addresses:
-- | 80:2a:a8:ae:f1:63
-- |_ 80:2a:a8:ae:f1:5e
--
-- PORT STATE SERVICE REASON VERSION
-- 10001/udp open ubiquiti-discovery udp-response Ubiquiti Discovery Service (v2 protocol, UCK-v2 software ver. 5.9.29)
-- | ubiquiti-discovery:
-- | protocol: v2
-- | firmware: UCK.mtk7623.v0.12.0.29a26c9.181001.1444
-- | version: 5.9.29
-- | model: UCK-v2
-- | config_status: managed/adopted
-- | interface_to_ip:
-- | 78:8a:20:21:ae:7b:
-- | 192.168.0.30
-- | mac_addresses:
-- |_ 78:8a:20:21:ae:7b
--
--@xmloutput
-- <elem key="protocol">v1</elem>
-- <elem key="uptime_seconds">113144</elem>
-- <elem key="uptime">1 days 07:25:44</elem>
-- <elem key="hostname">ubnt-router</elem>
-- <elem key="product">ER-X</elem>
-- <elem key="firmware">EdgeRouter.ER-e50.v1.10.7.5127989.181001.1227</elem>
-- <elem key="version">v1.10.7</elem>
-- <table key="interface_to_ip">
-- <table key="80:2a:a8:ae:f1:63">
-- <elem>192.168.0.1</elem>
-- <elem>172.25.16.1</elem>
-- </table>
-- <table key="80:2a:a8:ae:f1:5e">
-- <elem>55.55.55.10</elem>
-- <elem>55.55.55.11</elem>
-- <elem>55.55.55.12</elem>
-- </table>
-- </table>
-- <table key="mac_addresses">
-- <elem>80:2a:a8:ae:f1:63</elem>
-- <elem>80:2a:a8:ae:f1:5e</elem>
-- </table>
--
-- <elem key="protocol">v2</elem>
-- <elem key="version">5.9.29</elem>
-- <elem key="model">UCK-v2</elem>
-- <elem key="config_status">managed/adopted</elem>
-- <table key="interface_to_ip">
-- <table key="78:8a:20:21:ae:7b">
-- <elem>192.168.0.30</elem>
-- </table>
-- </table>
-- <table key="mac_addresses">
-- <elem>78:8a:20:21:ae:7b</elem>
-- </table>
--
portrule = shortport.port_or_service(10001, "ubiquiti-discovery", "udp", {"open", "open|filtered"})
local PROBE_V1 = string.pack("BB I2",
0x01, 0x00, -- version, command
0x00, 0x00 -- length
)
local PROBE_V2 = string.pack("BB I2",
0x02, 0x08, -- version, command
0x00, 0x00 -- length
)
---
-- Converts uptime seconds into a human readable string
--
-- E.g. "86518" -> "1 days 00:01:58"
--
-- @param uptime number of seconds of uptime
-- @return formatted uptime string (days, hours, minutes, seconds)
local function uptime_str(uptime)
if not uptime then
return nil
end
local d = uptime // 86400
local h = uptime // 3600 % 24
local m = uptime // 60 % 60
local s = uptime % 60
return string.format("%d days %02d:%02d:%02d", d, h, m, s)
end
---
-- Parses the full payload of a discovery response
--
-- There are different fields for v1 and v2 of the protocol but as far as I can
-- tell they don't conflict so we should be safe parsing them both with the same
-- code as long as we sanity check the version and cmd.
--
-- @param payload containing response
-- @return output_table containing results or nil
local function parse_discovery_response(response)
local info = stdnse.output_table()
local unique_macs = {}
local mac_ip_table = {}
if #response < 4 then
return nil
end
-- Verify header and cmd
if response:byte(1) == 0x01 then
if response:byte(2) ~= 0x00 then
return nil
end
info.protocol = "v1"
elseif response:byte(1) == 0x02 then
-- Known values for cmd are 6,9, and 11
if response:byte(2) ~= 0x06 and response:byte(2) ~= 0x09
and response:byte(2) ~= 0x0b then
return nil
end
info.protocol = "v2"
else
return nil
end
local config_len = string.unpack(">I2", response, 3)
-- Do the lengths check out?
if ( not ( #response == config_len + 4) ) then
return nil
end
-- Response looks legit, start extraction
local config_data = string.sub(response, 5, #response)
local tlv_type, tlv_len, tlv_value, pos
local mac, mac_raw, ip, ip_raw
pos = 1
while pos <= #config_data - 2 do
tlv_type = config_data:byte(pos)
tlv_len = string.unpack(">I2", config_data, pos +1)
pos = pos + 3
-- Sanity check that TLV len isn't larger than the data we have left.
-- Has been observed in the wild against protocols just similar enough to
-- make it here.
if tlv_len > (#config_data - pos + 1) then
return nil
end
tlv_value = config_data:sub(pos, pos + tlv_len - 1)
-- MAC address
if tlv_type == 0x01 then
mac_raw = tlv_value:sub(1, 6)
mac = stdnse.format_mac(mac_raw)
unique_macs[mac] = true
-- MAC and IP address
elseif tlv_type == 0x02 then
mac_raw = tlv_value:sub(1, 6)
mac = stdnse.format_mac(mac_raw)
unique_macs[mac] = true
ip_raw = tlv_value:sub(7, tlv_len)
ip = ipOps.str_to_ip(ip_raw)
if mac_ip_table[mac] == nil then
mac_ip_table[mac] = {}
end
mac_ip_table[mac][ip] = true
elseif tlv_type == 0x03 then
info.firmware = tlv_value
local human_version = tlv_value:match("%.(v%d+%.%d+%.%d+)")
if human_version then
info.version = human_version
end
elseif tlv_type == 0x0a then
if tlv_len == 4 then
local uptime_raw = string.unpack(">I4", tlv_value)
info.uptime_seconds = uptime_raw
info.uptime = uptime_str(uptime_raw)
end
elseif tlv_type == 0x0b then
info.hostname = tlv_value
elseif tlv_type == 0x0c then
info.product = tlv_value
elseif tlv_type == 0x0d then
info.essid = tlv_value
elseif tlv_type == 0x0f then
-- value also includes bit shifted flag for http vs https but we
-- are ignoring it here.
if tlv_len == 4 then
tlv_value = string.unpack(">I4", tlv_value)
info.mgmt_port = tlv_value & 0xffff
end
-- model v1 protocol
elseif tlv_type == 0x14 then
info.model = tlv_value
-- model v2 protocol
elseif tlv_type == 0x15 then
info.model = tlv_value
elseif tlv_type == 0x16 then
info.version = tlv_value
elseif tlv_type == 0x17 then
local is_default
if tlv_len == 4 then
is_default = string.unpack("I4", tlv_value)
elseif tlv_len == 1 then
is_default = string.unpack("I1", tlv_value)
end
if is_default == 1 then
info.config_status = "default/unmanaged"
elseif is_default == 0 then
info.config_status = "managed/adopted"
end
else
-- Other known or observed values
-- Some have been seen in code but not observed to test while others have
-- been observed but we don't know how to decode them.
-- 0x06 - username
-- 0x07 - salt
-- 0x08 - random challenge
-- 0x09 - challenge
-- 0x0e - WMODE - state of config? length 1 value 03 value 02
-- 0x10 - length 2 value e4b2 value e8a5 e815
-- 0x12 - SEQ - lenth 4
-- 0x13 - Source Mac, unused?
-- 0x18 - length 4 and 4 nulls, or length 1 and 0xff
-- 0xff - length 2 value e835
stdnse.debug1("Unknown tag: %s - length: %d value: %s",
stdnse.tohex(tlv_type), tlv_len,
stdnse.tohex(tlv_value))
end
pos = pos + tlv_len
end
if next(mac_ip_table) ~= nil then
info.interface_to_ip = {}
for k, _ in pairs(mac_ip_table) do
info.interface_to_ip[k] = tableaux.keys(mac_ip_table[k])
end
end
if next(unique_macs) ~= nil then
info.mac_addresses = tableaux.keys(unique_macs)
end
return info
end
---
-- Send probe and handle housekeeping
--
-- @param host A host table for the target host
-- @param port A port table for the target port
-- @return (status, result) If status is true, result the target's response to
-- a probe. If status is false, result is an error message.
local function send_probe(host, port, probe)
local socket = nmap.new_socket()
socket:set_timeout(5000)
local try = nmap.new_try(function() socket:close() end)
try( socket:connect(host, port) )
try( socket:send(probe) )
local stat, resp = socket:receive_bytes(4)
socket:close()
return stat, resp
end
function action(host, port)
local status, response = send_probe(host, port, PROBE_V1)
if not status then
status, response = send_probe(host, port, PROBE_V2)
if not status then
return nil
end
end
nmap.set_port_state(host, port, "open")
local result = parse_discovery_response(response)
if not result then
return nil
end
port.version.name = "ubiquiti-discovery"
port.version.product = "Ubiquiti Discovery Service"
local extrainfo = result.protocol .. " protocol"
if result.product then
extrainfo = extrainfo .. ", " .. result.product
elseif result.model then
extrainfo = extrainfo .. ", " .. result.model
end
if result.version then
port.version.extrainfo = extrainfo .. " software ver. " .. result.version
end
port.version.ostype = "Linux"
nmap.set_port_version(host, port, "hardmatched")
return result
end