Lucene search
Emiliano TicciNMAP:BROADCAST-OSPF2-DISCOVER.NSEHistoryMar 14, 2017 - 12:15 a.m.
broadcast-ospf2-discover NSE Script
2017-03-1400:15:22
Emiliano Ticci
nmap.org
241
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Discover IPv4 networks using Open Shortest Path First version 2(OSPFv2) protocol.
The script works by listening for OSPF Hello packets from the 224.0.0.5 multicast address. The script then replies and attempts to create a neighbor relationship, in order to discover network database.
If no interface was provided as a script argument or through the -e option, the script will fail unless a single interface is present on the system.
Script Arguments
broadcast-ospf2-discover.md5_key
MD5 digest key to use if message digest authentication is disclosed.
broadcast-ospf2-discover.router_id
Router ID to use. Defaults to 0.0.0.1
broadcast-ospf2-discover.timeout
Time in seconds that the script waits for hello from other routers. Defaults to 10 seconds, matching OSPFv2 default value for hello interval.
broadcast-ospf2-discover.interface
Interface to send on (overrides -e). Mandatory if not using -e and multiple interfaces are present.
max-newtargets, newtargets
See the documentation for the target library.
Example Usage
nmap --script=broadcast-ospf2-discover
nmap --script=broadcast-ospf2-discover -e wlan0
Script Output
Pre-scan script results:
| broadcast-ospf2-discover:
| Area ID: 0.0.0.0
| External Routes
| 192.168.24.0/24
|_ Use the newtargets script-arg to add the results as targets
Requires
local ipOps = require "ipOps"
local nmap = require "nmap"
local ospf = require "ospf"
local packet = require "packet"
local stdnse = require "stdnse"
local target = require "target"
local os = require "os"
local string = require "string"
local table = require "table"
local have_ssl, openssl = pcall(require,'openssl')
description = [[
Discover IPv4 networks using Open Shortest Path First version 2(OSPFv2) protocol.
The script works by listening for OSPF Hello packets from the 224.0.0.5
multicast address. The script then replies and attempts to create a neighbor
relationship, in order to discover network database.
If no interface was provided as a script argument or through the -e option,
the script will fail unless a single interface is present on the system.
]]
---
-- @usage
-- nmap --script=broadcast-ospf2-discover
-- nmap --script=broadcast-ospf2-discover -e wlan0
--
-- @args broadcast-ospf2-discover.md5_key MD5 digest key to use if message digest
-- authentication is disclosed.
--
-- @args broadcast-ospf2-discover.router_id Router ID to use. Defaults to 0.0.0.1
--
-- @args broadcast-ospf2-discover.timeout Time in seconds that the script waits for
-- hello from other routers. Defaults to 10 seconds, matching OSPFv2 default
-- value for hello interval.
--
-- @args broadcast-ospf2-discover.interface Interface to send on (overrides -e). Mandatory
-- if not using -e and multiple interfaces are present.
--
-- @output
-- Pre-scan script results:
-- | broadcast-ospf2-discover:
-- | Area ID: 0.0.0.0
-- | External Routes
-- | 192.168.24.0/24
-- |_ Use the newtargets script-arg to add the results as targets
--
author = "Emiliano Ticci"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"broadcast", "discovery", "safe"}
prerule = function()
if nmap.address_family() ~= "inet" then
stdnse.print_verbose("is IPv4 only.")
return false
end
if not nmap.is_privileged() then
stdnse.print_verbose("not running for lack of privileges.")
return false
end
return true
end
-- Script constants
OSPF_ALL_ROUTERS = "224.0.0.5"
OSPF_MSG_HELLO = 0x01
OSPF_MSG_DBDESC = 0x02
OSPF_MSG_LSREQ = 0x03
OSPF_MSG_LSUPD = 0x04
local md5_key, router_id
-- Convenience functions
local function fail(err) return stdnse.format_output(false, err) end
-- Print OSPFv2 LSA Header packet details to debug output.
-- @param hello OSPFv2 LSA Header packet
local ospfDumpLSAHeader = function(lsa_h)
if 2 > nmap.debugging() then
return
end
stdnse.print_debug(2, "| LS Age: %s", lsa_h.age)
stdnse.print_debug(2, "| Options: %s", lsa_h.options)
stdnse.print_debug(2, "| LS Type: %s", lsa_h.type)
stdnse.print_debug(2, "| Link State ID: %s", lsa_h.id)
stdnse.print_debug(2, "| Advertising Router: %s", lsa_h.adv_router)
stdnse.print_debug(2, "| Sequence: 0x%s", lsa_h.sequence)
stdnse.print_debug(2, "| Checksum: 0x%s", lsa_h.checksum)
stdnse.print_debug(2, "| Length: %s", lsa_h.length)
end
-- Print OSPFv2 Database Description packet details to debug output.
-- @param hello OSPFv2 Database Description packet
local ospfDumpDBDesc = function(db_desc)
if 2 > nmap.debugging() then
return
end
stdnse.print_debug(2, "| MTU: %s", db_desc.mtu)
stdnse.print_debug(2, "| Options: %s", db_desc.options)
stdnse.print_debug(2, "| Init: %s", db_desc.init)
stdnse.print_debug(2, "| More: %s", db_desc.more)
stdnse.print_debug(2, "| Master: %s", db_desc.master)
stdnse.print_debug(2, "| Sequence: %s", db_desc.sequence)
if #db_desc.lsa_headers > 0 then
stdnse.print_debug(2, "| LSA Headers:")
for i, lsa_h in ipairs(db_desc.lsa_headers) do
ospfDumpLSAHeader(lsa_h)
if i < #db_desc.lsa_headers then
stdnse.print_debug(2, "|")
end
end
end
end
-- Print OSPFv2 Hello packet details to debug output.
-- @param hello OSPFv2 Hello packet
local ospfDumpHello = function(hello)
if 2 > nmap.debugging() then
return
end
stdnse.print_debug(2, "| Router ID: %s", hello.header.router_id)
stdnse.print_debug(2, "| Area ID: %s", ipOps.fromdword(hello.header.area_id))
stdnse.print_debug(2, "| Checksum: %s", hello.header.chksum)
stdnse.print_debug(2, "| Auth Type: %s", hello.header.auth_type)
if hello.header.auth_type == 0x01 then
stdnse.print_debug(2, "| Auth Password: %s", hello.header.auth_data.password)
elseif hello.header.auth_type == 0x02 then
stdnse.print_debug(2, "| Auth Crypt Key ID: %s", hello.header.auth_data.keyid)
stdnse.print_debug(2, "| Auth Data Length: %s", hello.header.auth_data.length)
stdnse.print_debug(2, "| Auth Crypt Seq: %s", hello.header.auth_data.seq)
end
stdnse.print_debug(2, "| Netmask: %s", hello.netmask)
stdnse.print_debug(2, "| Hello interval: %s", hello.interval)
stdnse.print_debug(2, "| Options: %s", hello.options)
stdnse.print_debug(2, "| Priority: %s", hello.prio)
stdnse.print_debug(2, "| Dead interval: %s", hello.router_dead_interval)
stdnse.print_debug(2, "| Designated Router: %s", hello.DR)
stdnse.print_debug(2, "| Backup Router: %s", hello.BDR)
stdnse.print_debug(2, "| Neighbors: %s", table.concat(hello.neighbors, ","))
end
-- Print OSPFv2 LS Request packet details to debug output.
-- @param ls_req OSPFv2 LS Request packet
local ospfDumpLSRequest = function(ls_req)
if 2 > nmap.debugging() then
return
end
for i, req in ipairs(ls_req.ls_requests) do
stdnse.print_debug(2, "| LS Type: %s", req.type)
stdnse.print_debug(2, "| Link State ID: %s", req.id)
stdnse.print_debug(2, "| Avertising Router: %s", req.adv_router)
if i < #ls_req.ls_requests then
stdnse.print_debug(2, "|")
end
end
end
-- Print OSPFv2 LS Update packet details to debug output.
-- @param ls_upd OSPFv2 LS Update packet
local ospfDumpLSUpdate = function(ls_upd)
stdnse.print_debug(2, "| Number of LSAs: %s", ls_upd.num_lsas)
for i, lsa in ipairs(ls_upd.lsas) do
-- Only Type 1 (Router-LSA) and Type 5 (AS-External-LSA) are supported at the moment
ospfDumpLSAHeader(lsa.header)
if lsa.header.type == 1 then
stdnse.print_debug(2, "| Flags: %s", lsa.flags)
stdnse.print_debug(2, "| Number of links: %s", lsa.num_links)
for j, link in ipairs(lsa.links) do
stdnse.print_debug(2, "| Link ID: %s", link.id)
stdnse.print_debug(2, "| Link Data: %s", link.data)
stdnse.print_debug(2, "| Link Type: %s", link.type)
stdnse.print_debug(2, "| Number of Metrics: %s", link.num_metrics)
stdnse.print_debug(2, "| 0 Metric: %s", link.metric)
if j < #lsa.links then
stdnse.print_debug(2, "|")
end
end
if i < #ls_upd.lsas then
stdnse.print_debug(2, "|")
end
elseif lsa.header.type == 5 then
stdnse.print_debug(2, "| Netmask: %s", lsa.netmask)
stdnse.print_debug(2, "| External Type: %s", lsa.ext_type)
stdnse.print_debug(2, "| Metric: %s", lsa.metric)
stdnse.print_debug(2, "| Forwarding Address: %s", lsa.fw_address)
stdnse.print_debug(2, "| External Route Tag: %s", lsa.ext_tag)
end
end
end
-- Send OSPFv2 packet to specified destination.
-- @param interface Source interface to use
-- @param ip_dst Destination IP address
-- @param mac_dst Destination MAC address
-- @param ospf_packet Raw OSPF packet
local ospfSend = function(interface, ip_dst, mac_dst, ospf_packet)
local dnet = nmap.new_dnet()
local probe = packet.Frame:new()
probe.mac_src = interface.mac
probe.mac_dst = mac_dst
probe.ip_bin_src = ipOps.ip_to_str(interface.address)
probe.ip_bin_dst = ipOps.ip_to_str(ip_dst)
probe.l3_packet = ospf_packet
probe.ip_dsf = 0xc0
probe.ip_p = 89
probe.ip_ttl = 1
probe:build_ip_packet()
probe:build_ether_frame()
dnet:ethernet_open(interface.device)
dnet:ethernet_send(probe.frame_buf)
dnet:ethernet_close()
end
-- Prepare OSPFv2 packet header for reply.
-- @param packet_in Source packet
-- @param packet_out Destination packet
local ospfSetHeader = function(packet_in, packet_out)
packet_out.header:setRouterId(router_id)
packet_out.header:setAreaID(packet_in.header.area_id)
if packet_in.header.auth_type == 0x01 then
packet_out.header.auth_type = 0x01
packet_out.header.auth_data.password = packet_in.header.auth_data.password
elseif packet_in.header.auth_type == 0x02 then
packet_out.header.auth_type = 0x02
packet_out.header.auth_data.key = md5_key
packet_out.header.auth_data.keyid = packet_in.header.auth_data.keyid
packet_out.header.auth_data.length = 16
packet_out.header.auth_data.seq = os.time()
end
return packet_out
end
-- Reply to OSPFv2 Database Description with an LS Request.
-- @param interface Source interface
-- @param mac_dst Destination MAC address
-- @param db_desc_in OSPFv2 Database Description packet to reply for
local ospfSendLSRequest = function(interface, mac_dst, db_desc_in)
local ls_req_out = ospf.OSPF.LSRequest:new()
ls_req_out = ospfSetHeader(db_desc_in, ls_req_out)
for i, lsa_h in ipairs(db_desc_in.lsa_headers) do
ls_req_out:addRequest(lsa_h.type, lsa_h.id, lsa_h.adv_router)
end
stdnse.print_debug(2, "Crafted OSPFv2 LS Request packet with the following parameters:")
ospfDumpLSRequest(ls_req_out)
ospfSend(interface, db_desc_in.header.router_id, mac_dst, tostring(ls_req_out))
end
-- Reply to given OSPFv2 Database Description packet.
-- @param interface Source interface
-- @param mac_dst Destination MAC address
-- @param db_desc_in OSPFv2 Database Description packet to reply for
local ospfReplyDBDesc = function(interface, mac_dst, db_desc_in)
local reply = false
local db_desc_out = ospf.OSPF.DBDescription:new()
db_desc_out = ospfSetHeader(db_desc_in, db_desc_out)
if db_desc_in.init == true then
db_desc_out.init = false
db_desc_out.more = db_desc_in.more
db_desc_out.master = false
db_desc_out.sequence = db_desc_in.sequence
reply = true
elseif #db_desc_in.lsa_headers > 0 then
ospfSendLSRequest(interface, mac_dst, db_desc_in)
return true
end
if reply then
stdnse.print_debug(2, "Crafted OSPFv2 Database Description packet with the following parameters:")
ospfDumpDBDesc(db_desc_out)
ospfSend(interface, db_desc_in.header.router_id, mac_dst, tostring(db_desc_out))
end
return reply
end
-- Reply to given OSPFv2 Hello packet sending another Hello to
-- "All OSPF Routers" multicast address (224.0.0.5).
-- @param interface Source interface
-- @param hello_in OSPFv2 Hello packet to reply for
local ospfReplyHello = function(interface, hello_in)
local hello_out = ospf.OSPF.Hello:new()
hello_out = ospfSetHeader(hello_in, hello_out)
hello_out.interval = hello_in.interval
hello_out.router_dead_interval = hello_in.router_dead_interval
hello_out:setDesignatedRouter(hello_in.header.router_id)
hello_out:setNetmask(hello_in.netmask)
hello_out:addNeighbor(hello_in.header.router_id)
stdnse.print_debug(2, "Crafted OSPFv2 Hello packet with the following parameters:")
ospfDumpHello(hello_out)
ospfSend(interface, OSPF_ALL_ROUTERS, "\x01\x00\x5e\x00\x00\x05", tostring(hello_out))
end
-- Listen for OSPF packets on a specified interface.
-- @param interface Interface to use
-- @param timeout Amount of time to listen in seconds
local ospfListen = function(interface, timeout)
local status, l2_data, l3_data, ospf_raw, _
local start = nmap.clock_ms()
stdnse.print_debug("Start listening on interface %s...", interface.shortname)
local listener = nmap.new_socket()
listener:set_timeout(1000)
listener:pcap_open(interface.device, 1500, true, "ip proto 89 and not (ip src host " .. interface.address .. ")")
while (nmap.clock_ms() - start) < (timeout * 1000) do
status, _, l2_data, l3_data = listener:pcap_receive()
if status then
stdnse.print_debug(2, "Packet received on interface %s.", interface.shortname)
local p = packet.Packet:new(l3_data, #l3_data)
local ospf_raw = string.sub(l3_data, p.ip_hl * 4 + 1)
if ospf_raw:byte(1) == 0x02 and ospf_raw:byte(2) == OSPF_MSG_HELLO then
stdnse.print_debug(2, "OSPFv2 Hello packet detected.")
local ospf_hello = ospf.OSPF.Hello.parse(ospf_raw)
stdnse.print_debug(2, "Captured OSPFv2 Hello packet with the following parameters:")
ospfDumpHello(ospf_hello)
-- Additional checks required for message digest authentication
if ospf_hello.header.auth_type == 0x02 then
if not md5_key then
return fail("Argument md5_key must be present when message digest authentication is disclosed.")
elseif not have_ssl then
return fail("Cannot handle message digest authentication unless openssl is compiled in.")
end
end
ospfReplyHello(interface, ospf_hello)
start = nmap.clock_ms()
elseif ospf_raw:byte(1) == 0x02 and ospf_raw:byte(2) == OSPF_MSG_DBDESC then
stdnse.print_debug(2, "OSPFv2 Database Description packet detected.")
local ospf_db_desc = ospf.OSPF.DBDescription.parse(ospf_raw)
stdnse.print_debug(2, "Captured OSPFv2 Database Description packet with the following parameters:")
ospfDumpDBDesc(ospf_db_desc)
if not ospfReplyDBDesc(interface, string.sub(l2_data, 7, 12), ospf_db_desc) then
return
end
elseif ospf_raw:byte(1) == 0x02 and ospf_raw:byte(2) == OSPF_MSG_LSUPD then
stdnse.print_debug(2, "OSPFv2 LS Update packet detected.")
local ospf_ls_upd = ospf.OSPF.LSUpdate.parse(ospf_raw)
stdnse.print_debug(2, "Captured OSPFv2 LS Update packet with the following parameters:")
ospfDumpLSUpdate(ospf_ls_upd)
local targets = {}
for i, lsa in ipairs(ospf_ls_upd.lsas) do
-- Only Type 1 (Router-LSA) and Type 5 (AS-External-LSA) are supported at the moment
if lsa.header.type == 1 then
for j, link in ipairs(lsa.links) do
if link.type == 3 then
local target = link.id .. ipOps.subnet_to_cidr(link.data)
targets[target] = 1
end
end
elseif lsa.header.type == 5 then
local target = lsa.header.id .. ipOps.subnet_to_cidr(lsa.netmask)
targets[target] = 1
end
end
local output = stdnse.output_table()
if next(targets) then
local out_links = {}
output["Area ID"] = ipOps.fromdword(ospf_ls_upd.header.area_id)
output["External Routes"] = out_links
for t, _ in pairs(targets) do
table.insert(out_links, t)
if target.ALLOW_NEW_TARGETS then
target.add(t)
end
end
if not target.ALLOW_NEW_TARGETS then
stdnse.verbose("Use the newtargets script-arg to add the results as targets")
end
end
return output
end
end
end
listener:pcap_close()
end
action = function()
-- Get script arguments
md5_key = stdnse.get_script_args(SCRIPT_NAME .. ".md5_key") or false
router_id = stdnse.get_script_args(SCRIPT_NAME .. ".router_id") or "0.0.0.1"
local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout")) or 10
local interface = stdnse.get_script_args(SCRIPT_NAME .. ".interface")
stdnse.print_debug("Value for router ID argument: %s.", router_id)
stdnse.print_debug("Value for timeout argument: %s.", timeout)
-- Determine interface to use
interface = interface or nmap.get_interface()
if interface then
interface = nmap.get_interface_info(interface)
if not interface then
return fail(("Failed to retrieve %s interface information."):format(interface))
end
stdnse.print_debug("Will use %s interface.", interface.shortname)
else
local interface_list = nmap.list_interfaces()
local interface_good = {}
for _, os_interface in ipairs(interface_list) do
if os_interface.address and os_interface.link == "ethernet" and
os_interface.address:match("%d+%.%d+%.%d+%.%d+") then
stdnse.print_debug(2, "Found usable interface: %s.", os_interface.shortname)
table.insert(interface_good, os_interface)
end
end
if #interface_good == 1 then
interface = interface_good[1]
stdnse.print_debug("Will use %s interface.", interface.shortname)
elseif #interface_good == 0 then
return fail("Source interface not found.")
else
return fail("Ambiguous source interface, please specify it with -e or interface parameter.")
end
end
return ospfListen(interface, timeout)
end
Related
nmap
nmap
daytime NSE Script
2008-11-06 02:52:59
nessus-brute NSE Script
2011-10-26 21:45:33
ipv6-multicast-mld-list NSE Script
2015-12-19 15:50:08
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Related for NMAP:BROADCAST-OSPF2-DISCOVER.NSE