Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapHani BenhabilesNMAP:MRINFO.NSE
HistoryAug 03, 2012 - 10:58 p.m.

mrinfo NSE Script

2012-08-0322:58:29
Hani Benhabiles
nmap.org
83

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Queries targets for multicast routing information.

This works by sending a DVMRP Ask Neighbors 2 request to the target and listening for DVMRP Neighbors 2 responses that are sent back and which contain local addresses and the multicast neighbors on each interface of the target. If no specific target is specified, the request will be sent to the 224.0.0.1 All Hosts multicast address.

This script is similar somehow to the mrinfo utility included with Windows and Cisco IOS.

Script Arguments

mrinfo.target

Host to which the request is sent. If not set, the request will be sent to 224.0.0.1.

mrinfo.timeout

Time to wait for responses. Defaults to 5s.

max-newtargets, newtargets

See the documentation for the target library.

Example Usage

nmap --script mrinfo
nmap --script mrinfo -e eth1
nmap --script mrinfo --script-args 'mrinfo.target=172.16.0.4'

Script Output

Pre-scan script results:
| mrinfo:
|   Source: 224.0.0.1
|     Version 12.4
|     Local address: 172.16.0.2
|       Neighbor: 172.16.0.4
|       Neighbor: 172.16.0.3
|     Local address: 172.17.0.1
|       Neighbor: 172.17.0.2
|     Local address: 172.18.0.1
|       Neighbor: 172.18.0.2
|   Source: 224.0.0.1
|     Version 12.4
|     Local address: 172.16.0.4
|       Neighbor: 172.16.0.3
|       Neighbor: 172.16.0.2
|     Local address: 172.17.0.2
|       Neighbor: 172.17.0.1
|   Source: 224.0.0.1
|     Version 12.4
|     Local address: 172.16.0.3
|       Neighbor: 172.16.0.4
|       Neighbor: 172.16.0.2
|     Local address: 172.18.0.2
|       Neighbor: 172.18.0.1
|_  Use the newtargets script-arg to add the responses as targets

Requires

local nmap = require "nmap"
local packet = require "packet"
local ipOps = require "ipOps"
local stdnse = require "stdnse"
local string = require "string"
local target = require "target"
local table = require "table"


description = [[
Queries targets for multicast routing information.

This works by sending a DVMRP Ask Neighbors 2 request to the target and
listening for DVMRP Neighbors 2 responses that are sent back and which contain
local addresses and the multicast neighbors on each interface of the target. If
no specific target is specified, the request will be sent to the 224.0.0.1 All
Hosts multicast address.

This script is similar somehow to the mrinfo utility included with Windows and
Cisco IOS.
]]

---
-- @args mrinfo.target Host to which the request is sent. If not set, the
-- request will be sent to <code>224.0.0.1</code>.
--
-- @args mrinfo.timeout Time to wait for responses.
-- Defaults to <code>5s</code>.
--
--@usage
-- nmap --script mrinfo
-- nmap --script mrinfo -e eth1
-- nmap --script mrinfo --script-args 'mrinfo.target=172.16.0.4'
--
--@output
-- Pre-scan script results:
-- | mrinfo:
-- |   Source: 224.0.0.1
-- |     Version 12.4
-- |     Local address: 172.16.0.2
-- |       Neighbor: 172.16.0.4
-- |       Neighbor: 172.16.0.3
-- |     Local address: 172.17.0.1
-- |       Neighbor: 172.17.0.2
-- |     Local address: 172.18.0.1
-- |       Neighbor: 172.18.0.2
-- |   Source: 224.0.0.1
-- |     Version 12.4
-- |     Local address: 172.16.0.4
-- |       Neighbor: 172.16.0.3
-- |       Neighbor: 172.16.0.2
-- |     Local address: 172.17.0.2
-- |       Neighbor: 172.17.0.1
-- |   Source: 224.0.0.1
-- |     Version 12.4
-- |     Local address: 172.16.0.3
-- |       Neighbor: 172.16.0.4
-- |       Neighbor: 172.16.0.2
-- |     Local address: 172.18.0.2
-- |       Neighbor: 172.18.0.1
-- |_  Use the newtargets script-arg to add the responses as targets
--


author = "Hani Benhabiles"

license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

categories = {"discovery", "safe", "broadcast"}


prerule = function()
  if nmap.address_family() ~= 'inet' then
    stdnse.verbose1("is IPv4 only.")
    return false
  end
  if not nmap.is_privileged() then
    stdnse.verbose1("not running for lack of privileges.")
    return false
  end
  return true
end

-- Parses a DVMRP Ask Neighbor 2 raw data and returns
-- a structured response.
-- @param data raw data.
local mrinfoParse = function(data)
  local index, address, neighbor
  local response = {}

  -- first byte should be IGMP type == 0x13 (DVMRP)
  if data:byte(1) ~= 0x13 then return end

  -- DVMRP Code
  response.code,
  -- Checksum
  response.checksum,
  -- Capabilities (Skip one reserved byte)
  response.capabilities,
  -- Major and minor version
  response.minver,
  response.majver, index = string.unpack(">B I2 x B B B", data, 2)
  response.addresses = {}
  -- Iterate over target local addresses (interfaces)
  while index < #data do
    if data:byte(index) == 0x00 then break end
    address = {}
    -- Local address
    address.ip,
    -- Link metric
    address.metric,
    -- Threshold
    address.threshold,
    -- Flags
    address.flags,
    -- Number of neighbors
    address.ncount, index = string.unpack(">c4BBBB", data, index)
    address.ip = ipOps.str_to_ip(address.ip)

    address.neighbors = {}
    -- Iterate over neighbors
    for i = 1, address.ncount do
      neighbor, index = string.unpack(">c4", data, index)
      table.insert(address.neighbors, ipOps.str_to_ip(neighbor))
    end
    table.insert(response.addresses, address)
  end
  return response
end

-- Listens for DVMRP Ask Neighbors 2 responses
--@param interface Network interface to listen on.
--@param timeout Time to listen for a response.
--@param responses table to insert responses into.
local mrinfoListen = function(interface, timeout, responses)
  local condvar = nmap.condvar(responses)
  local start = nmap.clock_ms()
  local listener = nmap.new_socket()
  local p, mrinfo_raw, status, l3data, response, _

  -- IGMP packets that are sent to our host
  local filter = 'ip proto 2 and dst host ' .. interface.address
  listener:set_timeout(100)
  listener:pcap_open(interface.device, 1024, true, filter)

  while (nmap.clock_ms() - start) < timeout do
    status, _, _, l3data = listener:pcap_receive()
    if status then
      p = packet.Packet:new(l3data, #l3data)
      mrinfo_raw = string.sub(l3data, p.ip_hl*4 + 1)
      if p then
        -- Check that IGMP Type == DVMRP (0x13) and DVMRP code == Neighbor 2 (0x06)
        if mrinfo_raw:byte(1) == 0x13 and mrinfo_raw:byte(2) == 0x06 then
          response = mrinfoParse(mrinfo_raw)
          if response then
            response.srcip = p.ip_src
            table.insert(responses, response)
          end
        end
      end
    end
  end
  condvar("signal")
end

-- Function that generates a raw DVMRP Ask Neighbors 2 request.
local mrinfoRaw = function()
  local mrinfo_raw = string.pack(">BB I2 I2 BB",
    0x13, -- Type: DVMRP
    0x05, -- Code: Ask Neighbor v2
    0x0000, -- Checksum: Calculated later
    0x000a, -- Reserved
    -- Version == Cisco IOS 12.4
    0x04, -- Minor version: 4
    0x0c) -- Major version: 12

  -- Calculate checksum
  mrinfo_raw = mrinfo_raw:sub(1,2) .. string.pack(">I2", packet.in_cksum(mrinfo_raw)) .. mrinfo_raw:sub(5)

  return mrinfo_raw
end

-- Function that sends a DVMRP query.
--@param interface Network interface to use.
--@param dstip Destination IP to send to.
local mrinfoQuery = function(interface, dstip)
  local mrinfo_packet, sock, eth_hdr
  local srcip = interface.address

  local mrinfo_raw = mrinfoRaw()
  local ip_raw = stdnse.fromhex( "45c00040ed780000400218bc0a00c8750a00c86b") .. mrinfo_raw
  mrinfo_packet = packet.Packet:new(ip_raw, ip_raw:len())
  mrinfo_packet:ip_set_bin_src(ipOps.ip_to_str(srcip))
  mrinfo_packet:ip_set_bin_dst(ipOps.ip_to_str(dstip))
  mrinfo_packet:ip_set_len(ip_raw:len())
  if dstip == "224.0.0.1" then
    -- Doesn't affect results, but we should respect RFC 3171 :)
    mrinfo_packet:ip_set_ttl(1)
  end
  mrinfo_packet:ip_count_checksum()

  sock = nmap.new_dnet()
  if dstip == "224.0.0.1" then
    sock:ethernet_open(interface.device)
    -- Ethernet IPv4 multicast, our ethernet address and packet type IP
    eth_hdr = "\x01\x00\x5e\x00\x00\x01" .. interface.mac .. "\x08\x00"
    sock:ethernet_send(eth_hdr .. mrinfo_packet.buf)
    sock:ethernet_close()
  else
    sock:ip_open()
    sock:ip_send(mrinfo_packet.buf, dstip)
    sock:ip_close()
  end
end

-- Returns the network interface used to send packets to a target host.
--@param target host to which the interface is used.
--@return interface Network interface used for target host.
local getInterface = function(target)
  -- First, create dummy UDP connection to get interface
  local sock = nmap.new_socket()
  local status, err = sock:connect(target, "12345", "udp")
  if not status then
    stdnse.verbose1("%s", err)
    return
  end
  local status, address, _, _, _ = sock:get_info()
  if not status then
    stdnse.verbose1("%s", err)
    return
  end
  for _, interface in pairs(nmap.list_interfaces()) do
    if interface.address == address then
      return interface
    end
  end
end

action = function()
  local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout"))
  timeout = (timeout or 5) * 1000
  local target = stdnse.get_script_args(SCRIPT_NAME .. ".target") or "224.0.0.1"
  local responses = {}
  local interface, result

  interface = nmap.get_interface()
  if interface then
    interface = nmap.get_interface_info(interface)
  else
    interface = getInterface(target)
  end
  if not interface then
    return stdnse.format_output(false, ("Couldn't get interface for %s"):format(target))
  end

  stdnse.debug1("will send to %s via %s interface.", target, interface.shortname)

  -- Thread that listens for responses
  stdnse.new_thread(mrinfoListen, interface, timeout, responses)

  -- Send request after small wait to let Listener start
  stdnse.sleep(0.1)
  mrinfoQuery(interface, target)
  local condvar = nmap.condvar(responses)
  condvar("wait")

  if #responses > 0 then
    local output, ifoutput = {}
    for _, response in pairs(responses) do
      result = {}
      result.name = "Source: " .. response.srcip
      table.insert(result, ("Version %s.%s"):format(response.majver, response.minver))
      for _, address in pairs(response.addresses) do
        ifoutput = {}
        ifoutput.name = "Local address: " .. address.ip
        for _, neighbor in pairs(address.neighbors) do
          if target.ALLOW_NEW_TARGETS then target.add(neighbor) end
          table.insert(ifoutput, "Neighbor: " .. neighbor)
        end
        table.insert(result, ifoutput)
      end
      table.insert(output, result)
    end
    if not target.ALLOW_NEW_TARGETS then
      table.insert(output,"Use the newtargets script-arg to add the results as targets")
    end
    return stdnse.format_output(true, output)
  end
end

Related

nmap 199
nmap
nmap
http-chrono NSE Script
2012-03-23 19:29:44
p2p-conficker NSE Script
2009-04-21 18:30:40
sslv2 NSE Script
2008-11-06 02:52:59

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:MRINFO.NSE
nmap199