Rajeev R MenonNMAP:HTTP-HP-ILO-INFO.NSEhttp-hp-ilo-info NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Attempts to extract information from HP iLO boards including versions and addresses.
HP iLO boards have an unauthenticated info disclosure at <ip>/xmldata?item=all. It lists board informations such as server model, firmware version, MAC addresses, IP addresses, etc. This script uses the slaxml library to parse the iLO xml file and display the info.
Script Arguments
slaxml.debug
See the documentation for the slaxml library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
-
nmap --script hp-ilo-info -p 80 <target> -
nmap --script hp-ilo-info -sV <target>
Script Output
PORT STATE SERVICE
80/tcp open http
| ilo-info:
| ServerType: ProLiant MicroServer Gen8
| ProductID: XXXXXX-XXX
| UUID: XXXXXXXXXXXXXXXX
| cUUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
| ILOType: Integrated Lights-Out 4 (iLO 4)
| ILOFirmware: X.XX
| SerialNo: ILOXXXXXXXXXX
| NICs:
| NIC 1:
| Description: iLO 4
| MacAddress: 12:34:56:78:9a:bc
| IPAddress: 10.10.10.10
| Status: OK
| NIC 2:
| Description: iLo 4
| MacAddress: 11:22:33:44:55:66
| IPAddress: Unknown
|_ Status: Disabled
Requires
description = [[
Attempts to extract information from HP iLO boards including versions and addresses.
HP iLO boards have an unauthenticated info disclosure at <ip>/xmldata?item=all.
It lists board informations such as server model, firmware version,
MAC addresses, IP addresses, etc. This script uses the slaxml library
to parse the iLO xml file and display the info.
]]
---
--@usage nmap --script hp-ilo-info -p 80 <target>
--
--@usage nmap --script hp-ilo-info -sV <target>
--
--@output
--PORT STATE SERVICE
--80/tcp open http
--| ilo-info:
--| ServerType: ProLiant MicroServer Gen8
--| ProductID: XXXXXX-XXX
--| UUID: XXXXXXXXXXXXXXXX
--| cUUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
--| ILOType: Integrated Lights-Out 4 (iLO 4)
--| ILOFirmware: X.XX
--| SerialNo: ILOXXXXXXXXXX
--| NICs:
--| NIC 1:
--| Description: iLO 4
--| MacAddress: 12:34:56:78:9a:bc
--| IPAddress: 10.10.10.10
--| Status: OK
--| NIC 2:
--| Description: iLo 4
--| MacAddress: 11:22:33:44:55:66
--| IPAddress: Unknown
--|_ Status: Disabled
--
author = "Rajeev R Menon"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe","discovery"}
local http = require "http"
local slaxml = require "slaxml"
local stdnse = require "stdnse"
local shortport = require "shortport"
portrule = shortport.http
function getTag(table,tag)
for _,n in ipairs(table.kids) do
if n.type == "element" and n.name == tag then
return n
elseif n.type == "element" then
local ret = getTag(n,tag)
if ret ~= nil then return ret end
end
end
return nil
end
function parseXML(dom)
local response = stdnse.output_table()
local info = stdnse.output_table()
info['ServerType'] = getTag(dom,"SPN")
info['ProductID'] = getTag(dom,"PRODUCTID")
info['UUID'] = getTag(dom,"UUID")
info['cUUID'] = getTag(dom,"cUUID")
info['ILOType'] = getTag(dom,"PN")
info['ILOFirmware'] = getTag(dom,"FWRI")
info['SerialNo'] = getTag(dom,"SN")
for key,_ in pairs(info) do
if info[key] ~= nil then
response[tostring(key)] = info[key].kids[1].value
end
end
response.NICs = stdnse.output_table()
local nicdom = getTag(dom,"NICS")
if nicdom ~= nil then
local count = 1
for _,n in ipairs(nicdom.kids) do
local nic = stdnse.output_table()
info = stdnse.output_table()
for k,m in ipairs(n.kids) do
if #m.kids >= 1 and m.kids[1].type == "text" then
if m.name == "DESCRIPTION" then
info["Description"] = m.kids[1].value
elseif m.name == "MACADDR" then
info["MacAddress"] = m.kids[1].value
elseif m.name == "IPADDR" then
info["IPAddress"] = m.kids[1].value
elseif m.name == "STATUS" then
info["Status"] = m.kids[1].value
end
end
end
for key,_ in pairs(info) do
nic[tostring(key)] = info[key]
end
response.NICs["NIC "..tostring(count)] = nic
count = count + 1
end
end
return response
end
action = function(host,port)
local response = http.get(host,port,"/xmldata?item=all")
if response["status"] ~= 200
or not response.body
or not response.body:match('<RIMP>')
or not response.body:match('iLO')
then
return
end
local domtable = slaxml.parseDOM(response["body"],{stripWhitespace=true})
return parseXML(domtable)
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%