Nmap Development mailing list archives

Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered

From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 30 Jan 2010 10:15:42 +0100


On 30 jan 2010, at 10.12, Matt Selsky wrote:


On Jan 27, 2010, at 7:49 PM, Tom Sellers wrote:

I have just committed a new version of the IBM DB2 Server Profile export/version detection
NSE script, db2-das-info.nse, that I wrote in December [1].  The original seemed to work
well on many systems, but would choke on others.

Patrik "HeyNewSoftware!,HereIsAScriptForThat" Karlsson jumped in, figured out some key
details about the packet structure and then rebuilt the script in a much more functional,
modular and maintainable format.

In short, the script connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port
523 and exports the server profile.  No authentication is required for this request.

The script will also set the port product and version if a version scan is requested.

The data it returns matches what would be returned if one were to use the Export Server
Profile command using the DB2 Control Center GUI:

PORT    STATE SERVICE VERSION
523/tcp open  ibm-db2 IBM DB2 Database Server 9.07.0
| db2-das-info: DB2 Administration Server Settings
| ;DB2 Server Database Access Profile
| ;Use BINARY file transfer
| ;Comment lines start with a ";"
| ;Other lines must be one of the following two types:
| ;Type A: [section_name]
| ;Type B: keyword=value
|
| [File_Description]
| Application=DB2/LINUX 9.7.0
| Platform=18
| File_Content=DB2 Server Definitions
| File_Type=CommonServer
| File_Format_Version=1.0
| DB2System=MYBIGDATABASESERVER
| ServerType=DB2LINUX
|
| [adminst>dasusr1]
| NodeType=1
| DB2Comm=TCPIP
| Authentication=SERVER
| HostName=MYBIGDATABASESERVER
| PortNumber=523
| IpAddress=127.0.1.1
|
| [inst>db2inst1]
| NodeType=1
| DB2Comm=TCPIP
| Authentication=SERVER
| HostName=MYBIGDATABASESERVER
| ServiceName=db2c_db2inst1
| PortNumber=50000
| IpAddress=127.0.1.1
| QuietMode=No
| TMDatabase=1ST_CONN
|
| [db>db2inst1:TOOLSDB]
| DBAlias=TOOLSDB
| DBName=TOOLSDB
| Drive=/home/db2inst1
| Dir_entry_type=INDIRECT
|_Authentication=NOTSPEC


There is quite a bit of recon value in the data returned:
DB2 version, server OS/platform, database names and port numbers, file system path names,
hostname and IP address.

Oddly enough I have see DB2 return the IPv6 address when queried over the IPv4 interface.

Any testing or feedback with the functionality and structure of the script would be
greatly appreciated!  (If it works blame Patrik, if it doesn't then I did it.)

Of particular interest are:
1.  The debug output is VERY verbose at the moment.  This is due to instrumenting the
  packet manipulation process.  Should we comment out some of this detail?

2.  Testing and feedback against unusual platforms would be great, we have already
  seen where dealing with atypical setups can cause problems.


I tried this on a Solaris 8 system running DB2 7.2.4

Debug output shows:

# ./nmap --datadir . -PN -d --script=db2-das-info -sSU -p 523 spinach
[snip]
NSE: Starting db2-das-info against 192.168.59.60:523.
NSE: Starting db2-das-info against 192.168.59.60:523.
NSE: db2-das-info: ERROR communicating with DB2 server
NSE: db2-das-info against 192.168.59.60:523 threw an error!
EOF
stack traceback:
       [C]: in function 'try'
       ./scripts/db2-das-info.nse:130: in function 'read_db2_packet'
       ./scripts/db2-das-info.nse:261: in function <./scripts/db2-das-info.nse:230>
       (tail call): ?

NSE: db2-das-info: ERROR communicating with DB2 server
NSE: db2-das-info against 192.168.59.60:523 threw an error!
EOF
stack traceback:
       [C]: in function 'try'
       ./scripts/db2-das-info.nse:130: in function 'read_db2_packet'
       ./scripts/db2-das-info.nse:261: in function <./scripts/db2-das-info.nse:230>
       (tail call): ?

I can send the full debug output off-list if you need it.


-- 
Matt
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



Hi Matt,

Could you please send us the output of a -d3 scan and if possible a pcap dump off-list?

Thanks,
Patrik
--
Patrik Karlsson
http://www.cqure.net




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Tom Sellers (Jan 27)
- Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Fyodor (Jan 28)
  - Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Tom Sellers (Jan 28)
- Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Matt Selsky (Jan 30)
  - Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Patrik Karlsson (Jan 30)
    - Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Matt Selsky (Jan 30)