Nmap Development mailing list archives

Re: [SCRIPT] IBM DB2 Server Profile export + Version detection

From: Patrik Karlsson <patrik () labb1 com>
Date: Sun, 20 Dec 2009 00:29:42 +0100

Hi Tom,

I ran the script against both Windows and Linux and at first it looked great. Looking a bit closer I noticed that the 
server profile ended in the middle of a node description. Running the script against the same server several times 
sometimes ended up with a complete server profile and other times with just half of it.

My guess is that as your script searches for the beginning of the profile and breaks the loop once it detects it, you 
sometimes end up with incomplete data in the receive buffer, needing to call it again to retrieve the remaining data. I 
made some small changes so that it reads until it finds "\r\n\0" at the end of the receive buffer instead and then 
breaks. This change allowed me to get consistent results. If your interested in the diff let me know.

An even better (or overambitious?) solution might be to read a fixed length data header of the socket, retrieve the 
length of the data from this header, and then read the remaining data from the socket. That would require protocol 
documentation/knowledge or some packet analysis though. I did some initial packet analysis and found some stuff that 
was the same in each packet and some bytes that probably contain length info. 

Regarding the platform, I'm seeing 5 for windows, but 30 for Linux. 
I'm running it on a 64-bit Linux platform, don't know if this makes a difference.

| [File_Description]
| Application=DB2/LINUXX8664 9.7.0
| Platform=30
| File_Content=DB2 Server Definitions
| File_Type=CommonServer
| File_Format_Version=1.0
| DB2System=HARDY-SRV01
| ServerType=DB2LINUXX8664

| [File_Description]
| Application=DB2/NT 9.7.0
| Platform=5
| File_Content=DB2 Server Definitions
| File_Type=CommonServer
| File_Format_Version=1.0
| DB2System=EDUSRV011
| ServerType=DB2NT


//Patrik

On 19 dec 2009, at 14.41, Tom Sellers wrote:

I have finally (only a month late) finished the script to query the IBM DB2
Administration Server (DAS) service.  The script connects to the DB2 DAS service
on either TCP or UDP port 523.  No authentication is required for the connection.


The data it returns matches what would be returned if one were to use the Export
Server Profile command using the DB2 Control Center GUI:

PORT    STATE SERVICE VERSION
523/tcp open  ibm-db2 IBM DB2 Database Server 9.07.0
| db2-das-info: DB2 Administration Server Settings
| ;DB2 Server Database Access Profile
| ;Use BINARY file transfer
| ;Comment lines start with a ";"
| ;Other lines must be one of the following two types:
| ;Type A: [section_name]
| ;Type B: keyword=value
|
| [File_Description]
| Application=DB2/LINUX 9.7.0
| Platform=18
| File_Content=DB2 Server Definitions
| File_Type=CommonServer
| File_Format_Version=1.0
| DB2System=MYBIGDATABASESERVER
| ServerType=DB2LINUX
|
| [adminst>dasusr1]
| NodeType=1
| DB2Comm=TCPIP
| Authentication=SERVER
| HostName=MYBIGDATABASESERVER
| PortNumber=523
| IpAddress=127.0.1.1
|
| [inst>db2inst1]
| NodeType=1
| DB2Comm=TCPIP
| Authentication=SERVER
| HostName=MYBIGDATABASESERVER
| ServiceName=db2c_db2inst1
| PortNumber=50000
| IpAddress=127.0.1.1
| QuietMode=No
| TMDatabase=1ST_CONN
|
| [db>db2inst1:TOOLSDB]
| DBAlias=TOOLSDB
| DBName=TOOLSDB
| Drive=/home/db2inst1
| Dir_entry_type=INDIRECT
|_Authentication=NOTSPEC

The script will also set the service product and version data if possible.

There is quite a bit of recon value in the data returned:
DB2 version, server OS/platform, database names and port numbers, file system
path names, hostname and IP address.

Oddly enough I have see DB2 return the IPv6 address when queried over the IPv4 interface.

Any testing or feedback with the functionality and structure of the script would
be greatly appreciated!

Of particular interest are:
1.  Is the feedback too verbose?  This is the format that the server returns
   the data in, barring some noise prior to the data.  Should this be
   parsed out and reformatted?

2.  If you test it on server I would love to see feedback on the Platform
   numbers that are returned and on what OSes.  So far I have seen
   Platform=18 on Linux and Platform=5 on Windows.

Thanks,

Tom






<db2-das-info.nse>_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


--
Patrik Karlsson
http://www.cqure.net




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[SCRIPT] IBM DB2 Server Profile export + Version detection Tom Sellers (Dec 19)
- Re: [SCRIPT] IBM DB2 Server Profile export + Version detection Ron (Dec 21)
- Re: [SCRIPT] IBM DB2 Server Profile export + Version detection Patrik Karlsson (Dec 21)
  - Re: [SCRIPT] IBM DB2 Server Profile export + Version detection David Fifield (Dec 22)
- Re: [SCRIPT] IBM DB2 Server Profile export + Version detection David Fifield (Dec 31)