Re: [SCRIPT] DB2 Information gathering script

[Ron <ron () skullsecurity net>]

Hi Tom,

I couldn't find any DB2 servers in our environment that listen on 50000 
or 60000. Perhaps it has to do with our lockdown profile, or something?

I found one that I could connect to on 6789, though I didn't try that 
port on all of them.

Ron

Tom Sellers wrote:
> I have written a NSE script that enhances version detection for DB2.  It 
> also
> gathers platform (OS) and database instance information.  It functions 
> in a similar
> way to the MS SQL script.
>
> The script sends a DB2 EXCSAT (exchange server attributes) command 
> packet and
> parses the response.  This is a legitimate DB2 command and, based on my 
> reviews
> of logs, causes no problems on the server.  DB2 does log the connection 
> and the
> source IP address though.
>
>
> PORT      STATE SERVICE VERSION
> 523/tcp   open  ibm-db2 IBM DB2 Database Server 9.07.0
> 50000/tcp open  ibm-db2 IBM DB2 Database Server 9.07.0 (QDB2/LINUX)
> |  db2-info: DB2 Version: 9.07.0
> |  Server Platform: QDB2/LINUX
> |  Instance Name:   db2inst1
> |_ External Name:   db2inst1db2agent000051B3%FED%Y00
>
> In the sample output above the version of the DB2 DAS service on port 
> 523 was
> detected using nmap-service-probes.  Historically, unlike the DAS port 
> on 523,
> we have been unable to detect the exact version number on the DB2 database
> instances themselves.  There may be multiple DB2 database instances and 
> they
> typically cluster around port 50000 and 60000.
>
> Port 50000 would normally be detected as service "ibm-db2" with a 
> version string
> "IBM DB2 Database Server".  The attached NSE script can now detect the 
> exact
> version number and platform as well as the instance name for each of the
> databases.
>
> Any testing or feedback with the functionality and structure of the 
> script would
> be greatly appreciated!
>
>
> Here are my current concerns with the script:
> 1.  Is the default output too verbose?  Should I limit the output to the 
> info
>     on the port line by default and add the other lines with -v?
>
> 2.  The data from the server is encoded in EBCDIC.  I am decoding this 
> will what
>     amounts to a lookup table.  Is there a more appropriate/efficient 
> way to
>     handle this?
>
> 3.  I have built the EBCDIC table containing the ASCII chars that we should
>     encounter in this context.  Should I go ahead and build out the full 
> ASCII
>     table? (And wow, I am glad we don't use EBCDIC for much.)
>
> Thanks much,
>
> Tom
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/