Nmap Development mailing list archives

[NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered

From: Tom Sellers <nmap () fadedcode net>
Date: Wed, 27 Jan 2010 18:49:54 -0600

I have just committed a new version of the IBM DB2 Server Profile export/version detection
NSE script, db2-das-info.nse, that I wrote in December [1].  The original seemed to work
well on many systems, but would choke on others.

Patrik "HeyNewSoftware!,HereIsAScriptForThat" Karlsson jumped in, figured out some key
details about the packet structure and then rebuilt the script in a much more functional,
modular and maintainable format.

In short, the script connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port
523 and exports the server profile.  No authentication is required for this request.

The script will also set the port product and version if a version scan is requested.

The data it returns matches what would be returned if one were to use the Export Server
Profile command using the DB2 Control Center GUI:

PORT    STATE SERVICE VERSION
523/tcp open  ibm-db2 IBM DB2 Database Server 9.07.0
| db2-das-info: DB2 Administration Server Settings
| ;DB2 Server Database Access Profile
| ;Use BINARY file transfer
| ;Comment lines start with a ";"
| ;Other lines must be one of the following two types:
| ;Type A: [section_name]
| ;Type B: keyword=value
|
| [File_Description]
| Application=DB2/LINUX 9.7.0
| Platform=18
| File_Content=DB2 Server Definitions
| File_Type=CommonServer
| File_Format_Version=1.0
| DB2System=MYBIGDATABASESERVER
| ServerType=DB2LINUX
|
| [adminst>dasusr1]
| NodeType=1
| DB2Comm=TCPIP
| Authentication=SERVER
| HostName=MYBIGDATABASESERVER
| PortNumber=523
| IpAddress=127.0.1.1
|
| [inst>db2inst1]
| NodeType=1
| DB2Comm=TCPIP
| Authentication=SERVER
| HostName=MYBIGDATABASESERVER
| ServiceName=db2c_db2inst1
| PortNumber=50000
| IpAddress=127.0.1.1
| QuietMode=No
| TMDatabase=1ST_CONN
|
| [db>db2inst1:TOOLSDB]
| DBAlias=TOOLSDB
| DBName=TOOLSDB
| Drive=/home/db2inst1
| Dir_entry_type=INDIRECT
|_Authentication=NOTSPEC


There is quite a bit of recon value in the data returned:
DB2 version, server OS/platform, database names and port numbers, file system path names,
hostname and IP address.

Oddly enough I have see DB2 return the IPv6 address when queried over the IPv4 interface.

Any testing or feedback with the functionality and structure of the script would be
greatly appreciated!  (If it works blame Patrik, if it doesn't then I did it.)

Of particular interest are:
1.  The debug output is VERY verbose at the moment.  This is due to instrumenting the
    packet manipulation process.  Should we comment out some of this detail?

2.  Testing and feedback against unusual platforms would be great, we have already
    seen where dealing with atypical setups can cause problems.

Thanks,

Tom

1.  http://seclists.org/nmap-dev/2009/q4/659

Attachment: db2-das-info.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Tom Sellers (Jan 27)
- Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Fyodor (Jan 28)
  - Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Tom Sellers (Jan 28)
- Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Matt Selsky (Jan 30)
  - Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Patrik Karlsson (Jan 30)
    - Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Matt Selsky (Jan 30)