Nmap Development mailing list archives
Re: [NSE] New NSE library for DICOM and scripts dicom-ping and dicom-brute
From: "Arturo 'Buanzo' Busleiman" <buanzo () buanzo com ar>
Date: Tue, 6 Aug 2019 11:05:10 -0300
Wonderful work Paulino, as usual. On Mon, Aug 5, 2019 at 11:48 AM Paulino Calderon <paulino () calderonpale com> wrote:
Hey, I’ve committed in r37704 a NSE library for the DICOM protocol [1] commonly found in medical environments. With this new library I’ve committed scripts dicom-ping[2] and dicom-brute[3] which can be used to identify and brute force DICOM servers. I’m posting these scripts now as they are ready but I also (should) have working copies of two more scripts using this library: dicom-assoc-flood and dicom-fuzzer Next, for this library I would like to finish the implementation of the C-FIND operation to get Nmap to list patient’s information. :) Cheers. dicom.lua ++++++++++++++++++++ -- -- DICOM library -- -- This library implements (partially) the DICOM protocol. This protocol is used to -- capture, store and distribute medical images. -- -- From Wikipedia: -- The core application of the DICOM standard is to capture, store and distribute -- medical images. The standard also provides services related to imaging such as -- managing imaging procedure worklists, printing images on film or digital media -- like DVDs, reporting procedure status like completion of an imaging acquisition, -- confirming successful archiving of images, encrypting datasets, removing patient -- identifying information from datasets, organizing layouts of images for review, -- saving image manipulations and annotations, calibrating image displays, encoding -- ECGs, encoding CAD results, encoding structured measurement data, and storing -- acquisition protocols. -- -- OPTIONS: -- *<code>called_aet</code> - If set it changes the called Application Entity Title -- used in the requests. Default: ANY-SCP -- *<code>calling_aet</code> - If set it changes the calling Application Entity Title -- used in the requests. Default: ECHOSCU -- -- @args dicom.called_aet Called Application Entity Title. Default: ANY-SCP -- @args dicom.calling_aet Calling Application Entity Title. Default: ECHOSCU -- -- @author Paulino Calderon <paulino () calderonpale com> -- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html — dicom-ping.nse ++++++++++++++++++++ description = [[ Attempts to discover DICOM servers (DICOM Service Provider) through a partial C-ECHO request. It also detects if the server allows any called Application Entity Title or not. The script responds with the message "Called AET check enabled" when the association request is rejected due configuration. This value can be bruteforced. C-ECHO requests are commonly known as DICOM ping as they are used to test connectivity. Normally, a 'DICOM ping' is formed as follows: * Client -> A-ASSOCIATE request -> Server * Server -> A-ASSOCIATE ACCEPT/REJECT -> Client * Client -> C-ECHO request -> Server * Server -> C-ECHO response -> Client * Client -> A-RELEASE request -> Server * Server -> A-RELEASE response -> Client For this script we only send the A-ASSOCIATE request and look for the success code in the response as it seems to be a reliable way of detecting DICOM servers. ]] dicom-brute.nse ++++++++++++++++++++ description = [[ Attempts to brute force the Application Entity Title of a DICOM server (DICOM Service Provider). Application Entity Titles (AET) are used to restrict responses only to clients knowing the title. Hence, the called AET is used as a form of password. ]] --- -- @usage nmap -p4242 --script dicom-brute <target> -- @usage nmap -sV --script dicom-brute <target> -- @usage nmap --script dicom-brute --script-args passdb=aets.txt <target> -- -- @output -- PORT STATE SERVICE REASON -- 4242/tcp open vrml-multi-use syn-ack -- | dicom-brute: -- | Accounts: -- | Called Application Entity Title:ORTHANC - Valid credentials -- |_ Statistics: Performed 5 guesses in 1 seconds, average tps: 5.0 --- [1] https://svn.nmap.org/nmap/nselib/dicom.lua [2] https://svn.nmap.org/nmap/scripts/dicom-ping.nse [3] https://svn.nmap.org/nmap/scripts/dicom-brute.nse _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] New NSE library for DICOM and scripts dicom-ping and dicom-brute Paulino Calderon (Aug 05)
- Re: [NSE] New NSE library for DICOM and scripts dicom-ping and dicom-brute Arturo 'Buanzo' Busleiman (Aug 06)