Nmap Development mailing list archives
Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered
From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 30 Jan 2010 10:15:42 +0100
On 30 jan 2010, at 10.12, Matt Selsky wrote:
On Jan 27, 2010, at 7:49 PM, Tom Sellers wrote:I have just committed a new version of the IBM DB2 Server Profile export/version detection NSE script, db2-das-info.nse, that I wrote in December [1]. The original seemed to work well on many systems, but would choke on others. Patrik "HeyNewSoftware!,HereIsAScriptForThat" Karlsson jumped in, figured out some key details about the packet structure and then rebuilt the script in a much more functional, modular and maintainable format. In short, the script connects to the IBM DB2 Administration Server (DAS) on TCP or UDP port 523 and exports the server profile. No authentication is required for this request. The script will also set the port product and version if a version scan is requested. The data it returns matches what would be returned if one were to use the Export Server Profile command using the DB2 Control Center GUI: PORT STATE SERVICE VERSION 523/tcp open ibm-db2 IBM DB2 Database Server 9.07.0 | db2-das-info: DB2 Administration Server Settings | ;DB2 Server Database Access Profile | ;Use BINARY file transfer | ;Comment lines start with a ";" | ;Other lines must be one of the following two types: | ;Type A: [section_name] | ;Type B: keyword=value | | [File_Description] | Application=DB2/LINUX 9.7.0 | Platform=18 | File_Content=DB2 Server Definitions | File_Type=CommonServer | File_Format_Version=1.0 | DB2System=MYBIGDATABASESERVER | ServerType=DB2LINUX | | [adminst>dasusr1] | NodeType=1 | DB2Comm=TCPIP | Authentication=SERVER | HostName=MYBIGDATABASESERVER | PortNumber=523 | IpAddress=127.0.1.1 | | [inst>db2inst1] | NodeType=1 | DB2Comm=TCPIP | Authentication=SERVER | HostName=MYBIGDATABASESERVER | ServiceName=db2c_db2inst1 | PortNumber=50000 | IpAddress=127.0.1.1 | QuietMode=No | TMDatabase=1ST_CONN | | [db>db2inst1:TOOLSDB] | DBAlias=TOOLSDB | DBName=TOOLSDB | Drive=/home/db2inst1 | Dir_entry_type=INDIRECT |_Authentication=NOTSPEC There is quite a bit of recon value in the data returned: DB2 version, server OS/platform, database names and port numbers, file system path names, hostname and IP address. Oddly enough I have see DB2 return the IPv6 address when queried over the IPv4 interface. Any testing or feedback with the functionality and structure of the script would be greatly appreciated! (If it works blame Patrik, if it doesn't then I did it.) Of particular interest are: 1. The debug output is VERY verbose at the moment. This is due to instrumenting the packet manipulation process. Should we comment out some of this detail? 2. Testing and feedback against unusual platforms would be great, we have already seen where dealing with atypical setups can cause problems.I tried this on a Solaris 8 system running DB2 7.2.4 Debug output shows: # ./nmap --datadir . -PN -d --script=db2-das-info -sSU -p 523 spinach [snip] NSE: Starting db2-das-info against 192.168.59.60:523. NSE: Starting db2-das-info against 192.168.59.60:523. NSE: db2-das-info: ERROR communicating with DB2 server NSE: db2-das-info against 192.168.59.60:523 threw an error! EOF stack traceback: [C]: in function 'try' ./scripts/db2-das-info.nse:130: in function 'read_db2_packet' ./scripts/db2-das-info.nse:261: in function <./scripts/db2-das-info.nse:230> (tail call): ? NSE: db2-das-info: ERROR communicating with DB2 server NSE: db2-das-info against 192.168.59.60:523 threw an error! EOF stack traceback: [C]: in function 'try' ./scripts/db2-das-info.nse:130: in function 'read_db2_packet' ./scripts/db2-das-info.nse:261: in function <./scripts/db2-das-info.nse:230> (tail call): ? I can send the full debug output off-list if you need it. -- Matt _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Hi Matt, Could you please send us the output of a -d3 scan and if possible a pcap dump off-list? Thanks, Patrik -- Patrik Karlsson http://www.cqure.net _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Tom Sellers (Jan 27)
- Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Fyodor (Jan 28)
- Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Matt Selsky (Jan 30)
- Re: [NSE] db2-das-info.nse: IBM DB2 Server Profile export + Version detection - Re-engineered Patrik Karlsson (Jan 30)