9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Dumps list of available resources from CoAP endpoints.
This script establishes a connection to a CoAP endpoint and performs a GET request on a resource. The default resource for our request is <code>/.well-known/core</core>, which should contain a list of resources provided by the endpoint.
For additional information:
URI to request via the GET method, /.well-known/core
by default.
nmap -p U:5683 -sU --script coap-resources <target>
PORT STATE SERVICE REASON
5683/udp open coap udp-response ttl 36
| coap-resources:
| /large:
| rt: block
| sz: 1280
| title: Large resource
| /large-update:
| ct: 0
| rt: block
| sz: 55
| title: Large resource that can be updated using PUT method
| /link1:
| if: If1
| rt: Type1 Type2
|_ title: Link test resource
local coap = require "coap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local stringaux = require "stringaux"
local table = require "table"
description = [[
Dumps list of available resources from CoAP endpoints.
This script establishes a connection to a CoAP endpoint and performs a
GET request on a resource. The default resource for our request is
<code>/.well-known/core</core>, which should contain a list of
resources provided by the endpoint.
For additional information:
* https://en.wikipedia.org/wiki/Constrained_Application_Protocol
* https://tools.ietf.org/html/rfc7252
* https://tools.ietf.org/html/rfc6690
]]
---
-- @usage nmap -p U:5683 -sU --script coap-resources <target>
--
-- @output
-- PORT STATE SERVICE REASON
-- 5683/udp open coap udp-response ttl 36
-- | coap-resources:
-- | /large:
-- | rt: block
-- | sz: 1280
-- | title: Large resource
-- | /large-update:
-- | ct: 0
-- | rt: block
-- | sz: 55
-- | title: Large resource that can be updated using PUT method
-- | /link1:
-- | if: If1
-- | rt: Type1 Type2
-- |_ title: Link test resource
--
-- @args coap-resources.uri URI to request via the GET method,
-- <code>/.well-known/core</code> by default.
--
-- @xmloutput
-- <table key="/">
-- <elem key="ct">0</elem>
-- <elem key="title">General Info</elem>
-- </table>
-- <table key="/ft">
-- <elem key="ct">0</elem>
-- <elem key="title">Faults Reporting</elem>
-- </table>
-- <table key="/mn">
-- <elem key="ct">0</elem>
-- <elem key="title">Monitor Reporting</elem>
-- </table>
-- <table key="/st">
-- <elem key="ct">0</elem>
-- <elem key="title">Status Reporting</elem>
-- </table>
-- <table key="/time">
-- <elem key="ct">0</elem>
-- <elem key="obs,</devices/block>;title">Devices Block</elem>
-- <elem key="title">Internal Clock</elem>
-- </table>
-- <table key="/wn">
-- <elem key="ct">0</elem>
-- <elem key="title">Warnings Reporting</elem>
-- </table>
author = "Mak Kolybabi <[email protected]>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}
-- TODO: Add 5684 "coaps" if DTLS support is added
portrule = shortport.port_or_service(5683, "coap", "udp")
format_payload = function(payload)
-- Leave strings alone.
if type(payload) == "string" then
return payload
end
local tbl = stdnse.output_table()
-- We want to go through all of the links in alphabetical order.
table.sort(payload, function(a,b) return a.name < b.name end)
for _, link in ipairs(payload) do
-- We want to go through all of the parameters in alphabetical
-- order.
table.sort(link.parameters, function(a,b) return a.name < b.name end)
local row = stdnse.output_table()
for _, param in ipairs(link.parameters) do
row[param.name] = param.value
end
tbl[link.name] = row
end
return tbl
end
get_blocks = function(helper, options, b2opt, payload, max_reqs)
-- Initialize the block table to store all of our received blocks.
local blocks = {}
blocks[b2opt.number] = payload
-- If we don't know the number of the last block, we'll need to use
-- the largest number we've seen as the maxumum.
local max = b2opt.number
-- If the first block we received happens to be the last one, either
-- by being a one-block sequence or by the endpoint sending us the
-- last block in the sequence first, we want to record the final
-- number in the sequence.
local last = nil
if b2opt.more == false then
last = b2opt.number
max = b2opt.number
end
-- We'll continue to request blocks that are the same size as the
-- original block, since the endpoint likely prefers that.
local length = b2opt.length
-- We want to track the number of requests we make so that a
-- malicious endpoint can't keep us on the hook forever.
for req = 1, max_reqs do
-- Determine if there are any blocks in the sequence that we have
-- not yet received.
local top = max + 1
if last then
top = last
end
local num = top
for i = 0, top do
if not blocks[i] then
num = i
break
end
end
-- If the block we think we're missing is at the end of the
-- sequence, we've got them all.
if last and num >= last then
stdnse.debug3("All %d blocks have been retrieved.", last)
break
end
-- Create the request.
local opts = {
["code"] = "get",
["type"] = "confirmable",
["options"] = {
{["name"] = "block2", ["value"] = {
["number"] = num,
["more"] = false,
["length"] = length
}}
}
}
local components = stringaux.strsplit("/", options.uri)
for _, component in ipairs(components) do
if component ~= "" then
table.insert(opts.options, {["name"] = "uri_path", ["value"] = component})
end
end
-- Send the request and receive the response.
stdnse.debug3("Requesting block %d of size %d.", num, length)
local status, response = helper:request(opts)
if not status then
return false, response
end
if not response.payload then
return false, "Response did not contain a payload."
end
-- Check for the presence of the block2 option, and if it's
-- missing then we're going to stop.
b2opt = coap.COAP.header.find_option(response, "block2")
if not b2opt then
stdnse.debug1("Stopped requesting more blocks, response found without block2 option.")
break
end
stdnse.debug3("Received block %d of size %d.", b2opt.number, b2opt.length)
blocks[b2opt.number] = response.payload
if b2opt.more == false then
stdnse.debug3("Block %d indicates it is the end of the sequence.", b2opt.number, b2opt.length)
last = b2opt.number
max = b2opt.number
elseif b2opt.number > max then
max = b2opt.number
end
end
-- Reassemble payload, handling potentially missing blocks.
local result = ""
for i = 1, max do
if not blocks[i] then
stdnse.debug3("Block %d is missing, replacing with dummy data.", i)
result = result .. ("<! missing block %d!>"):format(i)
else
result = result .. blocks[i]
end
end
return true, result
end
local function parse_args ()
local args = {}
local uri = stdnse.get_script_args(SCRIPT_NAME .. '.uri')
if not uri then
uri = "/.well-known/core"
end
args.uri = uri
return true, args
end
action = function(host, port)
local output = stdnse.output_table()
-- Parse and sanity check the command line arguments.
local status, options = parse_args()
if not status then
output.ERROR = options
return output, output.ERROR
end
-- Create an instance of the CoAP library's client object.
local helper = coap.Helper:new(host, port)
-- Connect to the CoAP endpoint.
local status, response = helper:connect({["uri"] = options.uri})
if not status then
-- Erros at this stage indicate we're probably not talking to a CoAP server,
-- so we exit silently.
return nil
end
-- Check that the response is a 2.05, otherwise we don't know how to
-- continue.
if response.code ~= "content" then
-- If the port runs an echo service, we'll see an unexpected 'get' code.
if response.code == "get" then
-- Exit silently, this has all been a mistake.
return nil
end
-- If the requested resource wasn't found, that's okay.
if response.code == "not_found" then
stdnse.debug1("The target reports that the resource '%s' was not found.", options.uri)
return nil
end
-- Otherwise, we assume that we're getting a legitimate CoAP response.
output.ERROR = ("Server responded with '%s' code where 'content' was expected."):format(response.code)
return output, output.ERROR
end
local result = response.payload
if not result then
output.ERROR = "Payload for initial response was not part of the packet."
return output, output.ERROR
end
-- Check for the presence of the block2 option, which indicates that
-- we'll need to perform more requests.
local b2opt = coap.COAP.header.find_option(response, "block2")
if b2opt then
-- Since the block2 option was used, the payload should be an unparsed string.
assert(type(result) == "string")
local status, payload = get_blocks(helper, options, b2opt, result, 64)
if not status then
output.ERROR = result
return output, output.ERROR
end
result = result .. payload
-- Parse the payload.
local status, parsed = coap.COAP.payload.parse(response, result)
if not status then
stdnse.debug1("Failed to parse payload: %s", parsed)
stdnse.debug1("Falling back to returning raw payload as last resort.")
output["Raw CoAP response"] = result
return output, stdnse.format_output(true, output)
end
result = parsed
end
-- Regardless of whether the block2 option was used, we should now have a
-- parsed payload in some format or another. For now, they should all be
-- strings or tables.
assert(type(result) == "string" or type(result) == "table")
-- If the payload has been parsed, and we requested the default
-- resource, then we know how to format it nicely.
local formatted = result
if true then
formatted = format_payload(result)
end
return formatted
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%