Lucene search
JahNMAP:WHOIS-IP.NSEHistoryJul 25, 2013 - 12:57 a.m.
whois-ip NSE Script
2013-07-2500:57:28
jah
nmap.org
195
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.
The fields displayed contain information about the assignment and the organisation responsible for managing the address space. When output verbosity is requested on the Nmap command line (-v) extra information about the assignment will be displayed.
To determine which of the RIRs to query for a given Target IP Address this script utilises Assignments Data hosted by IANA. The data is cached locally and then parsed for use as a lookup table. The locally cached files are refreshed periodically to help ensure the data is current. If, for any reason, these files are not available to the script then a default sequence of Whois services are queried in turn until: the desired record is found; or a referral to another (defined) Whois service is found; or until the sequence is exhausted without finding either a referral or the desired record.
The script will recognize a referral to another Whois service if that service is defined in the script and will continue by sending a query to the referred service. A record is assumed to be the desired one if it does not contain a referral.
To reduce the number unnecessary queries sent to Whois services a record cache is employed and the entries in the cache can be applied to any targets within the range of addresses represented in the record.
In certain circumstances, the ability to cache responses prevents the discovery of other, smaller IP address assignments applicable to the target because a cached response is accepted in preference to sending a Whois query. When it is important to ensure that the most accurate information about the IP address assignment is retrieved the script argument whodb should be used with a value of "nocache" (see script arguments). This reduces the range of addresses that may use a cached record to a size that helps ensure that smaller assignments will be discovered. This option should be used with caution due to the potential to send large numbers of whois queries and possibly be banned from using the services.
In using this script your IP address will be sent to iana.org. Additionally your address and the address of the target of the scan will be sent to one of the RIRs.
See also:
Script Arguments
whodb
Takes any of the following values, which may be combined:
whodb=nofilePrevent the use of IANA assignments data and instead query the default services.whodb=nofollowIgnore referrals and instead display the first record obtained.whodb=nocachePrevent the acceptance of records in the cache when they apply to large ranges of addresses.whodb=[service-ids]Redefine the default services to query. Impliesnofile.
slaxml.debug
See the documentation for the slaxml library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
# Basic usage:
nmap target --script whois-ip
# To prevent the use of IANA assignments data supply the nofile value
# to the whodb argument:
nmap target --script whois-ip --script-args whodb=nofile
nmap target --script whois-ip --script-args whois.whodb=nofile
# Supplying a sequence of whois services will also prevent the use of
# IANA assignments data and override the default sequence:
nmap target --script whois-ip --script-args whodb=arin+ripe+afrinic
nmap target --script whois-ip --script-args whois.whodb=apnic*lacnic
# The order in which the services are supplied is the order in which
# they will be queried. (N.B. commas or semi-colons should not be
# used to delimit argument values.)
# To return the first record obtained even if it contains a referral
# to another service, supply the nofollow value to whodb:
nmap target --script whois-ip --script-args whodb=nofollow
nmap target --script whois-ip --script-args whois.whodb=nofollow+ripe
# Note that only one service (the first one supplied) will be used in
# conjunction with nofollow.
# To ensure discovery of smaller assignments even if larger ones
# exist in the cache, supply the nocache value to whodb:
nmap target --script whois-ip --script-args whodb=nocache
nmap target --script whois-ip --script-args whois.whodb=nocache
Script Output
Host script results:
| whois-ip: Record found at whois.arin.net
| netrange: 64.13.134.0 - 64.13.134.63
| netname: NET-64-13-143-0-26
| orgname: Titan Networks
| orgid: INSEC
|_ country: US stateprov: CA
Requires
local http = require "http"
local io = require "io"
local ipOps = require "ipOps"
local math = require "math"
local nmap = require "nmap"
local os = require "os"
local stdnse = require "stdnse"
local string = require "string"
local stringaux = require "stringaux"
local table = require "table"
description = [[
Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address
Assignment which contains the Target IP Address.
The fields displayed contain information about the assignment and the organisation responsible for managing the address
space. When output verbosity is requested on the Nmap command line (<code>-v</code>) extra information about the assignment will
be displayed.
To determine which of the RIRs to query for a given Target IP Address this script utilises Assignments Data hosted by IANA.
The data is cached locally and then parsed for use as a lookup table. The locally cached files are refreshed periodically
to help ensure the data is current. If, for any reason, these files are not available to the script then a default sequence
of Whois services are queried in turn until: the desired record is found; or a referral to another (defined) Whois service is
found; or until the sequence is exhausted without finding either a referral or the desired record.
The script will recognize a referral to another Whois service if that service is defined in the script and will continue by
sending a query to the referred service. A record is assumed to be the desired one if it does not contain a referral.
To reduce the number unnecessary queries sent to Whois services a record cache is employed and the entries in the cache can be
applied to any targets within the range of addresses represented in the record.
In certain circumstances, the ability to cache responses prevents the discovery of other, smaller IP address assignments
applicable to the target because a cached response is accepted in preference to sending a Whois query. When it is important
to ensure that the most accurate information about the IP address assignment is retrieved the script argument <code>whodb</code>
should be used with a value of <code>"nocache"</code> (see script arguments). This reduces the range of addresses that may use a
cached record to a size that helps ensure that smaller assignments will be discovered. This option should be used with caution
due to the potential to send large numbers of whois queries and possibly be banned from using the services.
In using this script your IP address will be sent to iana.org. Additionally
your address and the address of the target of the scan will be sent to one of
the RIRs.
]]
---
-- @see whois-domain.nse
-- @args whodb Takes any of the following values, which may be combined:
-- * <code>whodb=nofile</code> Prevent the use of IANA assignments data and instead query the default services.
-- * <code>whodb=nofollow</code> Ignore referrals and instead display the first record obtained.
-- * <code>whodb=nocache</code> Prevent the acceptance of records in the cache when they apply to large ranges of addresses.
-- * <code>whodb=[service-ids]</code> Redefine the default services to query. Implies <code>nofile</code>.
-- @usage
-- # Basic usage:
-- nmap target --script whois-ip
--
-- # To prevent the use of IANA assignments data supply the nofile value
-- # to the whodb argument:
-- nmap target --script whois-ip --script-args whodb=nofile
-- nmap target --script whois-ip --script-args whois.whodb=nofile
--
-- # Supplying a sequence of whois services will also prevent the use of
-- # IANA assignments data and override the default sequence:
-- nmap target --script whois-ip --script-args whodb=arin+ripe+afrinic
-- nmap target --script whois-ip --script-args whois.whodb=apnic*lacnic
-- # The order in which the services are supplied is the order in which
-- # they will be queried. (N.B. commas or semi-colons should not be
-- # used to delimit argument values.)
--
-- # To return the first record obtained even if it contains a referral
-- # to another service, supply the nofollow value to whodb:
-- nmap target --script whois-ip --script-args whodb=nofollow
-- nmap target --script whois-ip --script-args whois.whodb=nofollow+ripe
-- # Note that only one service (the first one supplied) will be used in
-- # conjunction with nofollow.
--
-- # To ensure discovery of smaller assignments even if larger ones
-- # exist in the cache, supply the nocache value to whodb:
-- nmap target --script whois-ip --script-args whodb=nocache
-- nmap target --script whois-ip --script-args whois.whodb=nocache
-- @output
-- Host script results:
-- | whois-ip: Record found at whois.arin.net
-- | netrange: 64.13.134.0 - 64.13.134.63
-- | netname: NET-64-13-143-0-26
-- | orgname: Titan Networks
-- | orgid: INSEC
-- |_ country: US stateprov: CA
author = "jah"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "external", "safe"}
-------------------------------------------------------------------------------------------------------------------------
--
--
--
--
-- This script will run only if the target IP address has been determined to be routable on the Internet.
hostrule = function( host )
local is_private, err = ipOps.isPrivate( host.ip )
if is_private == nil then
stdnse.debug1("Error in Hostrule: %s.", err)
return false
end
return not is_private
end
-------------------------------------------------------------------------------------------------------------------------
--
--
--
--
-- Queries WHOIS services until an applicable record is found or the list of services to query
-- is exhausted and finishes by displaying elements of an applicable record.
action = function( host )
if not nmap.registry.whois then
---
-- Data and flags shared between threads.
-- @name whois
-- @class table
--@field whoisdb_default_order The default number and order of whois services to query.
--@field using_local_assignments_file The boolean values of the two keys ipv4 and ipv6 determine whether or not to use the data from an IANA
-- hosted assignments file for that address family.
--@field local_assignments_file_expiry A period, between 0 and 7 days, during which cached assignments data may be used without being refreshed.
--@field init_done Set when <code>script_init</code> has been called and prevents it being called again.
--@field mutex A table of mutex functions, one for each service defined herein. Allows a thread exclusive access to a
-- service, preventing concurrent connections to it.
--@field nofollow A flag that prevents referrals to other whois records and allows the first record retrieved to be
-- returned instead. Set to true when whodb=nofollow
--@field using_cache A flag which modifies the size of ranges in a cache entry. Set to false when whodb=nocache
--@field cache Storage for cached redirects, records and other data for output.
nmap.registry.whois = {}
nmap.registry.whois.whoisdb_default_order = {"arin","ripe","apnic"}
nmap.registry.whois.using_cache = true
nmap.registry.whois.using_local_assignments_file = {}
nmap.registry.whois.using_local_assignments_file.ipv4 = true
nmap.registry.whois.using_local_assignments_file.ipv6 = true
nmap.registry.whois.local_assignments_file_expiry = "16h"
nmap.registry.whois.nofollow = false
nmap.registry.whois.cache = {}
end
-- script initialisation - threads must wait until this has been completed before continuing
local mutex = nmap.mutex( "whois" )
mutex "lock"
if not nmap.registry.whois.init_done then
script_init()
end
mutex "done"
---
-- Holds field data captured from the responses of each service queried and includes additional information about the final desired record.
--
-- The table, indexed by whois service id, holds a table of fields captured from each queried service. Once it has been determined that a record
-- represents the final record we wish to output, the existing values are destroyed and replaced with the one required record. This is done purely
-- to make it easier to reference the data of a desired record. Other values in the table are as follows.
-- @name data
-- @class table
--@field data.iana is set after the table is initialised and is the number of times a response encountered represents "The Whole Address Space".
-- If the value reaches 2 it is assumed that a valid record is held at ARIN.
--@field data.id is set in <code>analyse_response</code> after final record and is the service name at which a valid record has been found. Used in
-- <code>format_data_for_output</code>.
--@field data.mirror is set in <code>analyse_response</code> after final record and is the service name from which a mirrored record has been found. Used in
-- <code>format_data_for_output</code>.
--@field data.comparison is set in <code>analyse_response</code> after final record and is a string concatenated from fields extracted from a record and which
-- serves as a fingerprint for a record, used in <code>get_cache_key</code>, to compare two records for equality.
local data = {}
data.iana = 0
---
-- Used in the main loop to manage mutexes, the structure of tracking is as follows.
-- @name tracking
-- @class table
--@field this_db The service for which a thread will wait for exclusive access before sending a query to it.
--@field next_db The next service to query. Allows a thread to continue in the main "while do" loop.
--@field last_db The value of this_db after sending a query, used when exclusive access to a service is no longer required.
--@field completed An array of services previously queried.
local tracking = {}
tracking.completed = {}
local addr_family = #host.bin_ip == 4 and "ipv4" or "ipv6"
tracking = get_next_action( tracking, host.ip, addr_family )
-- main loop
while tracking.next_db do
local status, retval
tracking.this_db, tracking.next_db = tracking.next_db, nil
nmap.registry.whois.mutex[tracking.this_db] "lock"
status, retval = pcall( get_next_action, tracking, host.ip, addr_family )
if not status then
stdnse.debug1("pcall caught an exception in get_next_action: %s.", retval)
else tracking = retval end
if tracking.this_db then
-- do query
local response = do_query( tracking.this_db, host.ip )
tracking.completed[#tracking.completed+1] = tracking.this_db
-- analyse data
status, retval = pcall( analyse_response, tracking, host.ip, response, data )
if not status then
stdnse.debug1("pcall caught an exception in analyse_response: %s.", retval)
else data = retval end
-- get next action
status, retval = pcall( get_next_action, tracking, host.ip, addr_family )
if not status then
stdnse.debug1("pcall caught an exception in get_next_action: %s.", retval)
if not tracking.last_db then tracking.last_db, tracking.this_db = tracking.this_db or tracking.next_db, nil end
else tracking = retval end
end
nmap.registry.whois.mutex[tracking.last_db] "done"
tracking.last_db = nil
end
return output( host.ip, tracking.completed )
end -- action
----------------------------------------------------------------------------------------------------------------------------
--
--
--
--
-- Determines whether or not to query a whois service and which one to query. Checks the cache first - where there may be a redirect or a
-- cached record. If not, it trys to get a service from the assignments files if this was not previously attempted. Finally, if a service has
-- not yet been obtained the first unqueried service from whoisdb_default_order is used. The tracking table is manipulated such that a thread
-- knows its next move in the main loop.
-- @param tracking The Tracking table.
-- @param ip String representing the Target's IP address.
-- @param addr_fam String representing the Target's IP address family.
-- @return The supplied and possibly modified tracking table.
-- @see tracking, check_response_cache, get_db_from_assignments
function get_next_action( tracking, ip, addr_fam )
if type( ip ) ~= "string" or ip == "" or type( tracking ) ~= "table" or type( tracking.completed ) ~= "table" then return nil end
--next_db should always be nil when calling this
if tracking.next_db then return tracking end
-- check for cached redirects and records
local in_cache
in_cache, tracking.next_db = check_response_cache( ip )
if in_cache and not tracking.next_db then
-- found cached data - quit
tracking.this_db, tracking.last_db = nil, tracking.this_db
return tracking
elseif in_cache and tracking.next_db then
-- found cached redirect
if tracking.next_db ~= tracking.this_db then
-- skip query to this_db and set last_db so we can unlock mutex
tracking.this_db, tracking.last_db = nil, tracking.this_db
else
-- we were already about to query this_db
tracking.next_db = nil
end
-- kill redirect if the user specified "nofollow"
if nmap.registry.whois.nofollow then tracking.next_db = nil end
return tracking
elseif not in_cache and tracking.this_db and table.concat( tracking.completed, " " ):match( tracking.this_db ) then
-- we've already queried this_db so lets skip it and try whoisdb_default_order
tracking.last_db, tracking.this_db = tracking.this_db, nil
end
-- try to find a service to query in the assignments files, if allowed
if nmap.registry.whois.using_local_assignments_file[addr_fam] and not tracking.this_db and not tracking.last_db then
tracking.next_db = get_db_from_assignments( ip )
if tracking.next_db and not table.concat( tracking.completed, " " ):match( tracking.next_db ) then
-- we got one we haven't queried - we probably haven't queried any yet.
return tracking
end
end
-- get the next untried service from whoisdb_default_order
if not tracking.this_db and nmap.registry.whois.whoisdb_default_order then
for i, db in ipairs( nmap.registry.whois.whoisdb_default_order ) do
if not table.concat( tracking.completed, " " ):match( db ) then
tracking.next_db = db
break
end
end
end
return tracking
end
---
-- Checks the registry for cached redirects and results applicable to the supplied Target's IP address.
-- @param ip String representing the Target's IP address.
-- @return Boolean True if the supplied IP address is within a range of addresses for which there is a cache entry and a redirect or a
-- record is present; otherwise false.
-- @return ID of a service defined in whoisdb if a redirect is present; otherwise nil.
-- @see get_cache_key
function check_response_cache( ip )
if not next( nmap.registry.whois.cache ) then return false, nil end
if type( ip ) ~= "string" or ip == "" then return false, nil end
local ip_key = get_cache_key( ip )
if not ip_key then return false, nil end
local cache_data = nmap.registry.whois.cache[ip_key]
if cache_data.redirect then
-- redirect found in cache
return true, cache_data.redirect
elseif cache_data.data then
-- record found in cache
return true, nil
else
stdnse.debug1("Error in check_response_cache: Empty Cache Entry was found.")
end
return false, nil
end
---
-- Determines which entry in the cache is applicable to the Target and returns the key for that entry.
-- @param ip String representing the Target's IP address.
-- @return String key (IP address) of the cache entry applicable to the Target.
function get_cache_key( ip )
-- if this ip cached an entry, then we'll use it except when it represents a found record and we're not using_cache
if nmap.registry.whois.cache[ip] and ( nmap.registry.whois.using_cache or nmap.registry.whois.cache[ip].redirect ) then
return ip
end
-- When not using_cache, we compare our record to any others in the cache to avoid printing out the same record repeatedly.
local self_compare
if nmap.registry.whois.cache[ip] and nmap.registry.whois.cache[ip].data then
-- we should have a string which we can use to compare with other records
self_compare = nmap.registry.whois.cache[ip].data.comparison
end
local cache_entries = {}
for ip_key, cache_data in pairs( nmap.registry.whois.cache ) do
if type( ip_key ) == "string" and ip_key ~= "" and type( cache_data ) == "table" then
-- compare and return original pointer
if self_compare and ip ~= ip_key and not cache_data.pointer and self_compare == cache_data.data.comparison then
nmap.registry.whois.cache[ip].pointer = ip_key
return ip_key
end
-- check if ip is in a cached range and add the entry to cache_entries if it is
local in_range, err = ipOps.ip_in_range( ip, cache_data.range )
if in_range then
local t = {}
t.key = ip_key
t.range = cache_data.range
t.pointer = cache_data.pointer
cache_entries[#cache_entries+1] = t
end
end
end
if #cache_entries == 0 then
-- no applicable cache entries
return nil
elseif #cache_entries == 1 then
-- just one applicable entry
return cache_entries[1].pointer or cache_entries[1].key
end
-- more than one entry need sorting into ascending order
table.sort( cache_entries, smallest_range )
-- we'll choose the smallest range
return cache_entries[1].key
end
---
-- Calculates the prefix length for the given assignment.
-- @param range String representing an IP address assignment
-- @return Number - prefix length of the assignment
function get_prefix_length( range )
if type( range ) ~= "string" or range == "" then return nil end
local first, last, err = ipOps.get_ips_from_range( range )
if err then return nil end
first = ipOps.ip_to_bin(first)
last = ipOps.ip_to_bin(last)
for pos = 1, #first do
if first:byte(pos) ~= last:byte(pos) then
return pos - 1
end
end
return #first
end
---
-- Performs a lookup against assignments data to determine which service to query for the supplied Target.
-- @param ip String representing the Target's IP address.
-- @return String id of the whois service to query, or nil.
function get_db_from_assignments( ip )
if type( ip ) ~= "string" or ip == "" then return nil end
local af
if ip:match( ":" ) then
af = "ipv6"
else
af = "ipv4"
end
if not nmap.registry.whois.local_assignments_data or not nmap.registry.whois.local_assignments_data[af] then
stdnse.debug1("Error in get_db_from_assignments: Missing assignments data in registry.")
return nil
end
if next( nmap.registry.whois.local_assignments_data[af] ) then
for _, assignment in ipairs( nmap.registry.whois.local_assignments_data[af] ) do
if ipOps.ip_in_range( ip, assignment.range.first .. "-" .. assignment.range.last ) then
return assignment.service
end
end
end
return nil
end
---
-- Connects to a whois service (usually TCP port 43) and sends an IP address query, returning any response.
-- @param db String id of a service defined in whoisdb.
-- @param ip String representing the Target's IP address.
-- @return String response to query or nil.
function do_query(db, ip)
if type( db ) ~= "string" or not nmap.registry.whois.whoisdb[db] then
stdnse.debug1("Error in do_query: %s is not a defined Whois service.", db)
return nil
end
local service = nmap.registry.whois.whoisdb[db]
if type( service.hostname ) ~= "string" or service.hostname == "" then
stdnse.debug1("Error in do_query: Invalid hostname for %s.", db)
return nil
end
local query_data = ""
if type( service.preflag ) == "string" and service.preflag ~= "" then
query_data = service.preflag .. " "
end
query_data = query_data .. ip
if type( service.postflag ) == "string" and service.postflag ~= "" then
query_data = query_data .. service.postflag
end
query_data = query_data .. "\n"
local socket = nmap.new_socket()
local catch = function()
stdnse.debug1("Connection to %s failed or was aborted! No Output for this Target.", db)
nmap.registry.whois.mutex[db] "done"
socket:close()
end
local result, status, line = {}
local try = nmap.new_try( catch )
socket:set_timeout( 10000 )
try( socket:connect( service.hostname, 43 ) )
try( socket:send( query_data ) )
while true do
local status, lines = socket:receive_lines(1)
if not status then
break
else
result[#result+1] = lines
end
end
socket:close()
stdnse.debug3("Ended Query at %s.", db)
if #result == 0 then
return nil
end
return table.concat( result )
end
---
-- Extracts fields (if present) from the information returned in response to our query and determines whether it represents a referral to a
-- record hosted elsewhere. The referral is cached in the registry to allow threads for targets in the same assignment to avoid performing
-- their queries to this service. If it is not a referral, we assume it is the desired record and the extracted fields are cached in the
-- registry ready for output.
-- @param tracking Tracking table.
-- @param ip String representing a Target's IP address.
-- @param response String obtained from a service in response to our query.
-- @param data Table of fields captured from previously queried services, indexed by service name.
-- @return The data table passed as a parameter which may have been added to or may contain only the fields extracted from the desired
-- record (in which case it will no longer be indexed by service name).
-- @see extract_objects_from_response, redirection_rules, constrain_response, add_to_cache
function analyse_response( tracking, ip, response, data )
if type( response ) ~= "string" or response == "" then return data end
local meta, mirrored_db
local last_db, this_db, next_db = tracking.last_db, (tracking.this_db or tracking.last_db), tracking.next_db
data[this_db] = {}
-- check for foreign resource
for _, db in pairs( nmap.registry.whois.whoisdb ) do
if type( db ) == "table" and type( db.id ) == "string" and db.id ~= "iana" and db.id ~= this_db and type( db.hostname ) == "string" then
local pattern = db.id:upper() .. ".*%s*resource:%s*" .. db.hostname
if response:match( pattern ) then
mirrored_db = db.id
meta = db
meta.redirects = nil
break
end
end
end
meta = meta or nmap.registry.whois.whoisdb[this_db]
-- do we recognize objects in the response?.
local have_objects
if type( meta ) == "table" and type( meta.fieldreq ) == "table" and type( meta.fieldreq.ob_exist ) == "string" then
have_objects = response:match( meta.fieldreq.ob_exist )
else
stdnse.debug2("Could not check for objects, problem with meta data.")
have_objects = false
end
-- if we do not recognize objects check for an known error/non-object message
if not have_objects then
stdnse.debug4("%s has not responded with the expected objects.", this_db)
local tmp, msg
-- may have found our record saying something similar to "No Record Found"
for _, pattern in ipairs( nmap.registry.whois.m_none ) do
local pattern_l = pattern:gsub( "$addr", ip:lower() )
local pattern_u = pattern:gsub( "$addr", ip:upper() )
msg = response:match( pattern_l ) or response:match( pattern_u )
if msg then
stdnse.debug4("%s responded with a message which is assumed to be authoritative (but may not be).", this_db)
break
end
end
-- may have an error
if not msg then
for _, pattern in ipairs( nmap.registry.whois.m_err ) do
msg = response:match( pattern )
if msg then
stdnse.debug4("%s responded with an ERROR message.", this_db)
break
end
end
end
-- if we've recognized a non-object message,
if msg then
add_to_cache( ip, nil, nil, "Message from " .. nmap.registry.whois.whoisdb[this_db].hostname .. "\n" .. msg )
return data
end
end
-- the query response may not contain the set of objects we were expecting and we do not recognize the response message.
-- it may contain a record mirrored (or found by recursion) from a different service
if not have_objects then
local foreign_obj
for setname, set in pairs( nmap.registry.whois.fields_meta ) do
if set ~= nmap.registry.whois.whoisdb[this_db].fieldreq and response:match(set.ob_exist) then
foreign_obj = setname
stdnse.debug4("%s seems to have responded using the set of objects named: %s.", this_db, foreign_obj)
break
end
end
if foreign_obj and foreign_obj == "rpsl" then
mirrored_db = nmap.registry.whois.whoisdb.ripe.id
meta = nmap.registry.whois.whoisdb.ripe
meta.redirects = nil
have_objects = true
stdnse.debug4("%s will use the display properties of ripe.", this_db)
elseif foreign_obj then
-- find a display to match the objects.
for some_db, db_props in pairs( nmap.registry.whois.whoisdb ) do
if db_props.fieldreq and nmap.registry.whois.fields_meta[foreign_obj] and db_props.fieldreq == nmap.registry.whois.fields_meta[foreign_obj] then
mirrored_db = nmap.registry.whois.whoisdb[some_db].id
meta = nmap.registry.whois.whoisdb[some_db]
meta.redirects = nil
have_objects = true
stdnse.debug4("%s will use the display properties of %s.", this_db, some_db)
break
end
end
end -- if foreign_obj
end
-- extract fields from the entire response for record/redirect discovery
if have_objects then
stdnse.debug4("Parsing Query response from %s.", this_db)
data[this_db] = extract_objects_from_response( response, this_db, meta )
end
local response_chunk, found, nextdb
-- do record/redirect discovery, cache found redirect
if not nmap.registry.whois.nofollow and have_objects and meta.redirects then
stdnse.debug4("Testing response for redirection.")
found, nextdb, data.iana = redirection_rules( this_db, data, meta )
end
-- get most specific assignment and handle arin's organisation-focused record layout and then
-- modify the data table depending on whether we're redirecting or quitting
if have_objects then
stdnse.debug5("Extracting Fields from response.")
-- optionally constrain response to a more focused area
-- discarding previous extraction
if meta.smallnet_rule then
local offset, ptr, strbgn, strend
response_chunk, offset = constrain_response( response, this_db, ip, meta )
if offset > 0 then
data[this_db] = extract_objects_from_response( response_chunk, this_db, meta )
end
if offset > 1 and meta.unordered then
-- fetch an object immediately in front of inetnum
stdnse.debug5("%s Searching for an object group immediately before this range.", this_db)
-- split objects from the record, up to offset. Last object should be the one we want.
local obj_sel = stringaux.strsplit( "\r?\n\r?\n", response:sub( 1, offset ) )
response_chunk = "\n" .. obj_sel[#obj_sel] .. "\n"
-- check if any of the objects we like match this single object in response chunk
for ob, t in pairs( meta.fieldreq ) do
if ob ~= "ob_exist" and type( t.ob_start ) == "string" and response_chunk:match( t.ob_start ) then
data[this_db][ob] = extract_objects_from_response( response_chunk, this_db, meta, ob )
end
end
end -- if offset
end -- if meta.smallnet_rule
-- collect, from each extracted object, the tables of field values and positions and concatenate these
-- to provide the ability to easily compare two results
local coll, comp = {}, ""
for ob, t in pairs( data[this_db] ) do
for i, comp_string in pairs( t.for_compare ) do
coll[#coll+1] = { i, comp_string }
end
-- kill these now they're collected
data[this_db][ob].for_compare = nil
end
-- sort them by position in the record, ascending
table.sort( coll, function(a,b) return a[1]<b[1] end )
-- concatenate them to create a long string we can compare. Assign to .comparison after the debug bit following...
for i, v in ipairs( coll ) do
comp = comp .. v[2]
end
-- DEBUG
stdnse.debug5("%s Fields captured :", this_db)
for ob, t in pairs( data[this_db] ) do
for fieldname, fieldvalue in pairs( t ) do
stdnse.debug5("%s %s.%s %s.", this_db, ob, fieldname, fieldvalue)
end
end
-- add comparison string to extracted data
data[this_db].comparison = comp
-- add mirrored_db to extracted data
data[this_db].mirror = mirrored_db
end -- have objects
-- If we are accepting a record, only cache the data for that record
if (have_objects and not nextdb) or nmap.registry.whois.nofollow then
-- no redirect - accept as result and clear any previous data
data = data[this_db]
data.id = this_db
elseif nextdb and table.concat( tracking.completed, " " ):match( nextdb ) then
-- redirected to a previously queried service - accept as result
data = data[nextdb]
data.id = nextdb
nextdb = nil
elseif have_objects and ( data.iana > 1 ) and not table.concat( tracking.completed, " " ):match( nmap.registry.whois.whoisdb.arin.id ) then
-- two redirects to IANA - query ARIN next (which we should probably have done already!)
nextdb = nmap.registry.whois.whoisdb.arin.id
elseif have_objects and ( data.iana > 1 ) and table.concat( tracking.completed, " " ):match( nmap.registry.whois.whoisdb.arin.id ) then
-- two redirects to IANA - accept result from ARIN
data = data[nmap.registry.whois.whoisdb.arin.id]
data.id = nmap.registry.whois.whoisdb.arin.id
nextdb = nil
elseif not have_objects then
data = data[this_db]
data.id = this_db
end
-- cache our analysis
local range
if have_objects then
if data[this_db] and data[this_db].ob_netnum then
range = data[this_db].ob_netnum[meta.reg]
elseif data.ob_netnum and data.mirror then
range = data.ob_netnum[nmap.registry.whois.whoisdb[data.mirror].reg]
elseif data.ob_netnum then
range = data.ob_netnum[nmap.registry.whois.whoisdb[data.id].reg]
end
-- if nocache then enforce a smallest allowed prefix length
-- (these values should match those in add_to_cache)
if not nmap.registry.whois.using_cache and not nextdb then
local smallest_allowed_prefix = 29
if range:match( ":" ) then
smallest_allowed_prefix = 48
end
local range_prefix = get_prefix_length( range )
if type( range_prefix ) ~= "number" or range_prefix < smallest_allowed_prefix then
range = nil
end
end
-- prevent caching (0/0 or /8) or (::/0 or /23) or
range = not_short_prefix( ip, range, nextdb )
end
add_to_cache( ip, range, nextdb, data )
return data
end
---
-- Extracts Whois record objects (or a single object) and accompanying fields from the supplied (possibly partial) response to a whois query.
-- If a fifth parameter specific_object is not supplied, all objects defined in fields_meta will be captured if they are present in the response.
-- @param response_string String obtained from a service in response to our query.
-- @param db String id of the whois service queried.
-- @param meta Table, nmap.registry.whois.whoisdb[db] where db is either the service queried or a mirrored service.
-- @param specific_object Optional string index of a single object defined in fields_meta (e.g. "inetnum").
-- @return Table indexed by object name containing the fields captured for each object found.
function extract_objects_from_response( response_string, db, meta, specific_object )
local objects_to_extract = {}
local extracted_objects = {}
if type( response_string ) ~= "string" or response_string == "" then return {} end
if type( meta ) ~= "table" or type( meta.fieldreq ) ~= "table" then return {} end
-- we either receive a table for one object or for all objects
if type( specific_object ) == "string" and meta.fieldreq[specific_object] then
objects_to_extract[specific_object] = meta.fieldreq[specific_object]
stdnse.debug5("Extracting a single object: %s.", specific_object)
else
stdnse.debug5("Extracting all objects.")
objects_to_extract = meta.fieldreq
end
for object_name, object in pairs( objects_to_extract ) do
if object_name and object_name ~= "ob_exist" then
stdnse.debug5("Seeking object group: %s.", object_name)
extracted_objects[object_name] = {}
extracted_objects[object_name].for_compare = {} -- this will allow us to compare two tables
-- get a substr of response_string that corresponds to a single object
local ob_start, j = response_string:find( object.ob_start )
local i, ob_end = response_string:find( object.ob_end, j )
-- if we could not find the end, make the end EOF
ob_end = ob_end or -1
if ob_start and ob_end then
stdnse.debug5("Capturing: %s with indices %s and %s.", object_name, ob_start, ob_end)
local obj_string = response_string:sub( ob_start, ob_end )
for fieldname, pattern in pairs( object ) do
if fieldname ~= "ob_start" and fieldname ~= "ob_end" then
local data_pos, data_string = obj_string:find( pattern ), trim( obj_string:match( pattern ) )
if data_string then
extracted_objects[object_name][fieldname] = data_string
extracted_objects[object_name].for_compare[data_pos+ob_start] = data_string
end
end
end
end -- if ob_start and ob_end
end -- if object_name
end -- for object_name
if specific_object then extracted_objects = extracted_objects[specific_object] end -- returning one object
return extracted_objects
end -- function
---
-- Checks for referrals in fields extracted from the whois query response.
-- @param db String id of the whois service queried.
-- @param data Table, indexed by whois service id, of extracted fields.
-- @param meta Table, nmap.registry.whois.whoisdb[db] where db is either the service queried or a mirrored service.
-- @return Boolean "found". True if a referral is not found (i.e. No Referral means the desired record has been "found"), otherwise False.
-- @return String "redirect". Service id to which we are referred, or nil.
-- @return Number "iana_count". This is the total number of referral to IANA for this Target (for all queries) and is stored in data.iana.
-- @see redirection_validation
function redirection_rules( db, data, meta )
if type( db ) ~= "string" or db == "" or type( data ) ~= "table" or not next( data ) then
return false, nil, nil
end
local found = false
local redirect = nil
local iana_count
if type( data.iana ) == "number" then
iana_count = data.iana
else
iana_count = 0
end
if not meta or not meta.redirects then
return found, redirect, iana_count
end
---
-- Decides the value of a redirect and whether it should be followed. Referrals to IANA, found in whois records that represent the
-- "Whole Address Space", are acted upon by redirecting to ARIN or accepting the record from ARIN if it was previously queried. This
-- function also catches (ignores) referrals to the referring service - which happens as a side-effect of the method of redirection detection.
-- The return values of this function will be returned by its parent function.
-- @param directed_to String id of a whois service.
-- @param directed_from String id of a whois service.
-- @param icnt Number of total redirects to IANA.
-- @return Boolean "found". True if a redirect is not found or ignored, otherwise False.
-- @return String "redirect". Service id to which we are redirected, or nil.
-- @return Number "iana_count" which is incremented here if applicable.
local redirection_validation = function( directed_to, directed_from, icnt )
local iana = nmap.registry.whois.whoisdb.iana.id
local arin = nmap.registry.whois.whoisdb.arin.id
-- arin record points to iana so we won't follow and we assume we have our record
if directed_to == iana and directed_from == arin then
stdnse.debug4("%s Accept arin record (matched IANA).", directed_from)
return true, nil, ( icnt+1 )
end
-- non-arin record points to iana so we query arin next
if directed_to == iana then
stdnse.debug4("Redirecting to arin (matched IANA).")
return false, arin, ( icnt+1 )
end
-- a redirect, but not to iana or to self, so we follow it.
if directed_to ~= nmap.registry.whois.whoisdb[directed_from].id then
stdnse.debug4("%s redirects us to %s.", directed_from, directed_to)
return false, directed_to, icnt
end
-- redirect to self
return true, nil, icnt
end --redirection_validation
-- iterate over each table of redirect info for a specific field
for _, redirect_elems in ipairs( meta.redirects ) do
local obj, fld, pattern = table.unpack( redirect_elems ) -- three redirect elements
-- if a field has been captured for the given redirect info
if data[db][obj] and data[db][obj][fld] then
stdnse.debug5("Seek redirect in object: %s.%s for %s.", obj, fld, pattern)
-- iterate over nmap.registry.whois.whoisdb to find pattern (from each service) in the designated field
for member, mem_properties in pairs( nmap.registry.whois.whoisdb ) do
-- if pattern if found in the field, we have a redirect to member
if type( mem_properties[pattern] ) == "string" and string.lower( data[db][obj][fld] ):match( mem_properties[pattern] ) then
stdnse.debug5("Matched %s in %s.%s.", pattern, obj, fld)
return redirection_validation( nmap.registry.whois.whoisdb[member].id, db, iana_count )
elseif type( mem_properties[pattern] ) == "table" then
-- pattern is an array of patterns
for _, pattn in ipairs( mem_properties[pattern] ) do
if type( pattn ) == "string" and string.lower( data[db][obj][fld] ):match( pattn ) then
stdnse.debug5("Matched %s in %s.%s.", pattern, obj, fld)
return redirection_validation( nmap.registry.whois.whoisdb[member].id, db, iana_count )
end
end
end
end -- for mem, mem_properties
end
end -- for _,v in ipairs
-- if redirects have not been found then assume that the record has been found.
found = true
return found, redirect, iana_count
end
---
-- Attempts to reduce the query response to a subset containing the most specific assignment information.
-- It does this by collecting inetnum objects (and their positions in the response) and choosing the smallest assignment represented by them.
-- A subset beginning with the most specific inetnum object and ending before any further inetnum objects is returned along with the position
-- of the subset within the entire response.
-- @param response String obtained from a whois service in response to our query.
-- @param db String id of the service from which the response was obtained.
-- @param ip String representing the Target's IP address.
-- @param meta Table, nmap.registry.whois.whoisdb[db] where db is either the service queried or a mirrored service.
-- @return String containing the most specific part of the response (or the entire response if only one inetnum object is present).
-- @return Number position of the start of the most specific part of the response.
-- @see smallest_range
function constrain_response( response, db, ip, meta )
local strbgn = 1
local strend = 1
local ptr = 1
local mptr = {}
local bound = nil
-- collect all inetnums objects (and their position) into a table
while strbgn and meta.fieldreq do
strbgn, strend = response:find( meta.fieldreq.ob_exist, strend )
if strbgn then
local pair = {}
pair.pointer = strbgn
pair.range = trim( response:match( meta.smallnet_rule, strbgn ) )
mptr[#mptr+1] = pair
end
end
if # mptr > 1 then
-- find the closest one to host.ip and constrain the response to it
stdnse.debug5("%s Focusing on the smallest of %s address ranges.", db, #mptr)
-- sort the table mptr into nets ascending
table.sort( mptr, smallest_range )
-- select the first net that includes host.ip
local str_net
local index
for i, pointer_to_inetnum in ipairs( mptr ) do
if ipOps.ip_in_range( ip, pointer_to_inetnum.range ) then
str_net = pointer_to_inetnum.range
ptr = pointer_to_inetnum.pointer
index = i
break
end
end
if mptr[index+1] and ( mptr[index+1].pointer > mptr[index].pointer ) then
bound = mptr[index+1].pointer
end
stdnse.debug5("%s Smallest range containing target IP addr. is %s.", db, trim( str_net ))
-- isolate inetnum and associated objects
if bound then
stdnse.debug5("%s smallest range is offset from %s to %s.", db, ptr, bound)
-- get from pointer to bound
return response:sub(ptr,bound), ptr
else
stdnse.debug5("%s smallest range is offset from %s to %s.", db, ptr, "the end")
-- or get the whole thing from the pointer onwards
return response:sub(ptr), ptr
end
end -- if # mptr
return response, 0
end -- function
---
-- This function prevents the caching of large ranges in certain circumstances which would adversely affect lookups against the cache.
-- Specifically we don't allow a cache entry including either a referral or a found record with a range equal to 0/0 or ::/0.
-- Instead we cache an /8 or, in the case of IPv6, /23 - These are large, but safer ranges.
-- Additionally, we don't allow a cache entry for a found record with ranges larger than IPv4 /8 and IPv6 /23.
-- Instead we cache an /24 or, in the case of IPv6, /96 - These are small ranges and are a fair trade-off between accuracy and repeated queries.
-- @param ip String representing the Target's IP address.
-- @param range String representing a range of IP addresses.
-- @usage range = not_short_prefix( ip, range )
-- @return String range - either the supplied, or a modified one (or nil in case of an error).
-- @see get_assignment
function not_short_prefix( ip, range, redirect )
if type( range ) ~= "string" or range == "" then return nil end
local err, zero_first, zero_last, fake_prefix, short_prefix, safe_prefix, first, last = {}
if range:match( ":" ) then
short_prefix = 23
safe_prefix = 96
zero_first, zero_last, err[#err+1] = ipOps.get_ips_from_range( "::/0" )
else
short_prefix = 8
safe_prefix = 24
zero_first, zero_last, err[#err+1] = ipOps.get_ips_from_range( "0/0" )
end
first, last, err[#err+1] = ipOps.get_ips_from_range( range )
if #err > 0 then
stdnse.debug1("Error in not_short_prefix: s%.", table.concat( err, " " ))
return nil
end
if ipOps.compare_ip( first, "eq", zero_first ) and ipOps.compare_ip( last, "eq", zero_last ) then
return ( get_assignment ( ip, short_prefix ) )
elseif not redirect and ( get_prefix_length( range ) <= short_prefix ) then
return ( get_assignment ( ip, safe_prefix ) )
end
return range
end
---
-- Caches discovered records and referrals in the registry.
-- The cache is indexed by the Target IP addresses sent as Whois query terms.
-- A lookup against the cache is performed by testing the cached IP address range, hence a range must always be present in each cache entry.
-- Where a range is not passed as a parameter, a small assignment containing the Target's IP address is instead cached.
-- Either a referral or output data should also be present in the cache - so one or the other should always be passed as a parameter.
-- @param ip String representing the Target's IP address.
-- @param range String representing the most specific assignment found in a whois record. May be nil.
-- @param redirect String id of a referred service defined in whoisdb.
-- @param data Table or String of extracted data.
-- @see get_assignment
function add_to_cache( ip, range, redirect, data )
if type( ip ) ~= "string" or ip == "" then return end
local af, longest_prefix
if ip:match( ":" ) then
af = "ipv6"
longest_prefix = 48 -- increased from 32 (20080902).
else
af = "ipv4"
longest_prefix = 29 -- 8 hosts
end
-- we need to cache some range so we'll cache the small assignment that includes ip.
if type( range ) ~= "string" or type( get_prefix_length( range ) ) ~= "number" then
range = get_assignment( ip, longest_prefix )
stdnse.debug5("Caching an assumed Range: %s", range)
end
nmap.registry.whois.cache[ip] = {} -- destroy any previous cache entry for this target.
nmap.registry.whois.cache[ip].data = data
nmap.registry.whois.cache[ip].range = range
nmap.registry.whois.cache[ip].redirect = redirect
end
---
-- When passed to <code>table.sort</code>, will sort a table of tables containing IP address ranges in ascending order of size.
-- Identical ranges will be sorted in descending order of their position within a record if it is present.
-- @param range_1 Table: {range = String, pointer = Number}
-- where range is an IP address range and pointer is the position of that range in a record.
-- @param range_2 Same as range_1.
-- @return Boolean True if the positions of range_1 and range_2 in the table being sorted are correct, otherwise false.
function smallest_range( range_1, range_2 )
local sorted = true -- return value (defaulting true to avoid a loop)
local r1_first, r1_last = ipOps.get_ips_from_range( range_1.range )
local r2_first, r2_last = ipOps.get_ips_from_range( range_2.range )
if range_1.pointer
and ipOps.compare_ip( r1_first, "eq", r2_first )
and ipOps.compare_ip( r1_last, "eq", r2_last )
and range_1.pointer < range_2.pointer then
sorted = false
end
if ipOps.compare_ip( r1_first, "le", r2_first ) and ipOps.compare_ip( r1_last, "ge", r2_last ) then sorted = false end
return sorted
end
---
-- Given an IP address and a prefix length, returns a string representing a valid IP address assignment (size is not checked) which contains
-- the supplied IP address. For example, with ip = 192.168.1.187 and prefix = 24 the return value will be 192.168.1.1-192.168.1.255
-- @param ip String representing an IP address.
-- @param prefix String or number representing a prefix length. Should be of the same address family as ip.
-- @return String representing a range of addresses from the first to the last hosts (or nil in case of an error).
-- @return Nil or error message in case of an error.
function get_assignment( ip, prefix )
local some_ip, err = ipOps.ip_to_bin( ip )
if err then return nil, err end
prefix = tonumber( prefix )
if not prefix or ( prefix < 0 ) or ( prefix > string.len( some_ip ) ) then
return nil, "Error in get_assignment: Invalid prefix length."
end
local hostbits = string.sub( some_ip, prefix + 1 )
hostbits = string.gsub( hostbits, "1", "0" )
local first = string.sub( some_ip, 1, prefix ) .. hostbits
err = {}
first, err[#err+1] = ipOps.bin_to_ip( first )
local last
last, err[#err+1] = ipOps.get_last_ip( ip, prefix )
if #err > 0 then return nil, table.concat( err, " " ) end
return first .. "-" .. last
end
---
-- Controls what to output at the end of the script execution. Attempts to get data from the registry. If the data is a string it is output as
-- it is. If the data is a table then <code>format_data_for_output</code> is called. If there is no cached data, nothing will be output.
-- @param ip String representing the Target's IP address.
-- @param services_queried Table of strings. Each is the id of a whois service queried for the Target (tracking.completed).
-- @return String - Host Script Results.
-- @see get_output_from_cache, format_data_for_output
function output( ip, services_queried )
local data = get_output_from_cache( ip )
if type( data ) == "string" then
return data
elseif type( data ) == "table" then
return format_data_for_output( data )
end
if type( services_queried ) ~= "table" then
stdnse.debug1("Error in output(): No data found.")
return nil
elseif #services_queried == 0 then
stdnse.debug1("Error in output(): No data found, no queries were completed.")
return nil
elseif #services_queried > 0 then
stdnse.debug1("Error in output(): No data found - could not understand query responses.")
return nil
end
return nil -- just to be safe
end
---
-- Retrieves data applicable to the Target from the registry. Cached data is only returned if the Target IP matches a key in the cache.
-- If the Target IP is in a range for which there exists cached data then a pointer string is instead returned.
-- @param ip String representing the Target's IP address.
-- @return Table or string or nil.
-- @see get_cache_key
function get_output_from_cache( ip )
local ip_key = get_cache_key( ip )
if not ip_key then
stdnse.debug1("Error in get_output_from_cache().")
return nil
end
local cache_data = nmap.registry.whois.cache[ip_key]
if ip == ip_key then
return cache_data.data
else
return "See the result for " .. ip_key .. "."
end
end
---
-- Uses the output_short or output_long tables to format the supplied table of data for output as a string.
-- @param data Table of captured fields grouped into whois record objects from a single record.
-- data.id is a string id of the service from which the record was retrieved and data.mirror is a string id of a mirrored service.
-- @return String, ready for output (i.e. to be returned by action() ).
function format_data_for_output( data )
-- DISPLAY THE FOUND RECORD
-- ipairs over the table that dictates the order in which fields
-- should be output
local output, display_owner, display_rules = {}
if data.mirror then
display_owner = nmap.registry.whois.whoisdb[data.mirror]
else
display_owner = nmap.registry.whois.whoisdb[data.id]
end
if nmap.verbosity() > 0 then
display_rules = display_owner.output_long or display_owner.output_short
else
display_rules = display_owner.output_short or display_owner.output_long
end
if not display_rules then return "Could not format results for display." end
output[#output+1] = "Record found at "
output[#output+1] = nmap.registry.whois.whoisdb[data.id].hostname
for _, objects in ipairs( display_rules ) do
local object_name, fields
if type( objects[1] ) == "string" and objects[1] ~= "" and data[objects[1]] then
object_name = objects[1]
end
if object_name and type( objects[2] ) == "table" and #objects[2] > 0 then
fields = objects[2]
end
if fields then
for _, field_name in ipairs( fields ) do
if type( field_name ) == "string" and data[object_name][field_name] then
output[#output+1] = "\n"
output[#output+1] = field_name
output[#output+1] = ": "
output[#output+1] = data[object_name][field_name]
elseif type( field_name ) == "table" then
local first_in_line = true
for _, field_name_sameline in ipairs( field_name ) do
if type( field_name_sameline ) == "string" and data[object_name][field_name_sameline] then
if first_in_line then
first_in_line = false
output[#output+1] = "\n"
else
output[#output+1] = " " -- the space between items on a line
end
output[#output+1] = field_name_sameline
output[#output+1] = ": "
output[#output+1] = data[object_name][field_name_sameline]
end
end
end
end
end
end
if #output < 3 then
output[#output+1] = ", but its content was not understood."
end
return ( table.concat( output ):gsub( "[%s\n]\n", "\n" ) )
end
---
-- Trims space characters from either end of a string and converts an empty string to nil.
-- @param to_trim String to be trimmed.
-- @return String, trimmed. If the string is empty before or after trimming (or if the parameter was not a string) then returns nil.
function trim( to_trim )
if type( to_trim ) ~= "string" or to_trim == "" then return nil end
local trimmed = ( string.gsub( to_trim, "^%s*(.-)%s*$", "%1" ) )
if trimmed == "" then trimmed = nil end
return trimmed
end
---
-- Called once per script invocation, the purpose of this function is to populate the registry with variables and data for use by all threads.
-- @see get_args, get_local_assignments_data
function script_init()
---
-- fields_meta is a table of patterns and captures and defines from which fields of a whois record to extract data.
-- The fields are grouped into sets of RPSL-like objects with a key (e.g. rpsl, arin) which identifies the set.
--
-- ob_exist: A pattern that is used to determine whether a record contains a set of objects.
-- It does not have to be unique to the set of objects. It does not require captures.
-- ob_netnum: A RPSL-like object containing fields describing the Address Assignment. This object is mandatory for this script.
-- Other optional objects include: ob_org (organisation), ob_role (role), ob_persn (person) and ob_cust (customer).
--
-- Each object table must contain the following:
-- ob_start: Pattern for the first field in the object and which marks the start of the object. Does not require captures.
-- ob_end: Pattern for the last field in the object and which marks the end of the object. Usually ends with "\r?\n\r?\n".
-- Does not require captures.
--
-- The remaining key-value pairs for each object should conform to the following:
-- key: is a short name for the field in a whois record and which will be displayed in the scripts output to identify the field.
-- value: is a pattern for the field and contains a capture for the data required to be captured.
nmap.registry.whois.fields_meta = {
rpsl = {
ob_exist = "\r?\n?%s*[Ii]net6?num:%s*.-\r?\n",
ob_netnum = {
ob_start = "\r?\n?%s*[Ii]net6?num:%s*.-\r?\n",
ob_end = "\r?\n%s*[Ss]ource:%s*.-\r?\n\r?\n",
inetnum = "\r?\n%s*[Ii]net6?num:%s*(.-)\r?\n",
netname = "\r?\n%s*[Nn]et[-]-[Nn]ame:%s*(.-)\r?\n",
nettype = "\r?\n%s*[Nn]et[-]-[Tt]ype:%s*(.-)\r?\n",
descr = "[Dd]escr:[^\r?\n][%s]*(.-)\r?\n",
country = "\r?\n%s*[Cc]ountry:%s*(.-)\r?\n",
status = "\r?\n%s*[Ss]tatus:%s*(.-)\r?\n",
source = "\r?\n%s*[Ss]ource:%s*(.-)\r?\n"
},
ob_org = {
ob_start = "\r?\n%s*[Oo]rgani[sz]ation:%s*.-\r?\n",
ob_end = "\r?\n%s*[Ss]ource:%s*.-\r?\n\r?\n",
organisation = "\r?\n%s*[Oo]rgani[sz]ation:%s*(.-)\r?\n",
orgname = "\r?\n%s*[Oo]rg[-]-[Nn]ame:%s*(.-)\r?\n",
descr = "[Dd]escr:[^\r?\n][%s]*(.-)\r?\n",
email = "\r?\n%s*[Ee][-]-[Mm]ail:%s*(.-)\r?\n"
},
ob_role = {
ob_start = "\r?\n%s*[Rr]ole:%s*.-\r?\n",
ob_end = "\r?\n%s*[Ss]ource:%s*.-\r?\n\r?\n",
role = "\r?\n%s*[Rr]ole:%s*(.-)\r?\n",
email = "\r?\n%s*[Ee][-]-[Mm]ail:%s*(.-)\r?\n"
},
ob_persn = {
ob_start = "\r?\n%s*[Pp]erson:%s*.-\r?\n",
ob_end = "\r?\n%s*[Ss]ource:%s*.-\r?\n\r?\n",
person = "\r?\n%s*[Pp]erson:%s*(.-)\r?\n",
email = "\r?\n%s*[Ee][-]-[Mm]ail:%s*(.-)\r?\n"
}
},
arin = {
ob_exist = "\r?\n%s*[Nn]et[-]-[Rr]ange:.-\r?\n",
ob_netnum = {
ob_start = "\r?\n%s*[Nn]et[-]-[Rr]ange:.-\r?\n",
ob_end = "\r?\n\r?\n",
netrange = "\r?\n%s*[Nn]et[-]-[Rr]ange:(.-)\r?\n",
netname = "\r?\n%s*[Nn]et[-]-[Nn]ame:(.-)\r?\n",
nettype = "\r?\n%s*[Nn]et[-]-[Tt]ype:(.-)\r?\n"
},
ob_org = {
ob_start = "\r?\n%s*[Oo]rg[-]-[Nn]ame:.-\r?\n",
ob_end = "\r?\n\r?\n",
orgname = "\r?\n%s*[Oo]rg[-]-[Nn]ame:(.-)\r?\n",
orgid = "\r?\n%s*[Oo]rg[-]-[Ii][Dd]:(.-)\r?\n",
stateprov = "\r?\n%s*[Ss]tate[-]-[Pp]rov:(.-)\r?\n",
country = "\r?\n%s*[Cc]ountry:(.-)\r?\n"
},
ob_cust = {
ob_start = "\r?\n%s*[Cc]ust[-]-[Nn]ame:.-\r?\n",
ob_end = "\r?\n\r?\n",
custname = "\r?\n%s*[Cc]ust[-]-[Nn]ame:(.-)\r?\n",
stateprov = "\r?\n%s*[Ss]tate[-]-[Pp]rov:(.-)\r?\n",
country = "\r?\n%s*[Cc]ountry:(.-)\r?\n"
},
ob_persn = {
ob_start = "\r?\n%s*[Oo]rg[-]-[Tt]ech[-]-[Nn]ame:.-\r?\n",
ob_end = "\r?\n\r?\n",
orgtechname = "\r?\n%s*[Oo]rg[-]-[Tt]ech[-]-[Nn]ame:(.-)\r?\n",
orgtechemail = "\r?\n%s*[Oo]rg[-]-[Tt]ech[-]-[Ee][-]-[Mm]ail:(.-)\r?\n"
}
},
lacnic = {
ob_exist = "\r?\n%s*[Ii]net6?num:%s*.-\r?\n",
ob_netnum = {
ob_start = "\r?\n%s*[Ii]net6?num:%s*.-\r?\n",
ob_end = "\r?\n\r?\n",
inetnum = "\r?\n%s*[Ii]net6?num:%s*(.-)\r?\n",
owner = "\r?\n%s*[Oo]wner:%s*(.-)\r?\n",
ownerid = "\r?\n%s*[Oo]wner[-]-[Ii][Dd]:%s*(.-)\r?\n",
responsible = "\r?\n%s*[Rr]esponsible:%s*(.-)\r?\n",
country = "\r?\n%s*[Cc]ountry:%s*(.-)\r?\n",
source = "\r?\n%s*[Ss]ource:%s*(.-)\r?\n"},
ob_persn = {ob_start = "\r?\n%s*[Pp]erson:%s*.-\r?\n",
ob_end = "\r?\n\r?\n",
person = "\r?\n%s*[Pp]erson:%s*(.-)\r?\n",
email = "\r?\n%s*[Ee][-]-[Mm]ail:%s*(.-)\r?\n"
}
},
jpnic = {
ob_exist = "\r?\n%s*[Nn]etwork%s-[Ii]nformation:%s*.-\r?\n",
ob_netnum = {
ob_start = "[[Nn]etwork%s*[Nn]umber]%s*.-\r?\n",
ob_end = "\r?\n\r?\n",
inetnum = "[[Nn]etwork%s*[Nn]umber]%s*(.-)\r?\n",
netname = "[[Nn]etwork%s*[Nn]ame]%s*(.-)\r?\n",
orgname = "[[Oo]rganization]%s*(.-)\r?\n"
}
}
}
---
-- whoisdb defines the whois services this script is able to query and the script output produced for them.
-- Each entry is a key-value pair where the key is a short name for the service and value is a table of definitions for that service.
-- Note that there is defined here an entry for IANA which does not have a whois service. The entry is defined to allow us to redirect to ARIN when
-- IANA is referred to in a record.
--
-- Each service defined should contain the following:
--
-- id: String. Matches the key for the service and is a short name for the service.
-- hostname: String. Hostname of the service.
-- preflag: String. Prepended to the target IP address sent in the whois query.
-- postflag: String. Appended to the target IP address sent in the whois query.
-- longname: Table of strings. Each is a lowercase official (or semi-official) name of the service.
-- fieldreq: Linked table entry. The key identifying a table of a set of objects defined in fields_meta.
-- In its records each whois service displays a particular set of objects as defined here.
-- smallnet_rule: Linked table entry. The key of a pattern for the field defined in fields_meta which captures the Assignment Range. This is an
-- optional entry and is used to extract the smallest (i.e. Most Specific) range from a record when more than one range is detailed.
-- redirects: Table of tables, containing strings. Used to determine whether a record is referring to a different whois service by
-- searching for service specific information in certain fields of the record.
-- Each entry is a table thus: { "search_object", "search_field", "pattern" }
-- search_object: is the key name for a record object defined in fields_meta, in which to search.
-- search_field: is the key name for a field of the object, the data of which to search.
-- pattern: is typically the id or longname key names.
-- In the example: {"ob_org", "orgname", "longname"}, we cycle through each service defined in whoisdb and look for its longname in
-- the ob_org.orgname of the current record.
-- output_short: Table for each object to be displayed when Nmap verbosity is zero. The first element of each table is the object name and the
-- second element is a table of fields to display. The elements of the second may be field names, which are each output to a new
-- line, or tables containing field names which are output to the same line.
-- output_long: Table for each object to be displayed when Nmap verbosity is one or above. The structure is the same as output_short.
-- reg: String name for the field in ob_netnum which captures the Assignment Range (e.g. "netrange", "inetnum"), the data of which is
-- cached in the registry.
-- unordered: Boolean. Optional. True if the records from the service display an object other than ob_netnum as the first in the record (such
-- as at ARIN). This flag is used to decide whether we should extract an object immediately before the relevant ob_netnum object
-- from a record.
nmap.registry.whois.whoisdb = {
arin = {
id = "arin",
hostname = "whois.arin.net", preflag = "n +", postflag = "",
longname = {"american registry for internet numbers"},
fieldreq = nmap.registry.whois.fields_meta.arin,
smallnet_rule = nmap.registry.whois.fields_meta.arin.ob_netnum.netrange,
redirects = {
{"ob_org", "orgname", "longname"},
{"ob_org", "orgname", "id"},
{"ob_org", "orgid", "id"} },
output_short = {
{"ob_netnum", {"netrange", "netname"}},
{"ob_org", {"orgname", "orgid", {"country", "stateprov"}}} },
output_long = {
{"ob_netnum", {"netrange", "netname"}},
{"ob_org", {"orgname", "orgid", {"country", "stateprov"}}},
{"ob_cust", {"custname", {"country", "stateprov"}}},
{"ob_persn", {"orgtechname", "orgtechemail"}} },
reg = "netrange",
unordered = true
},
ripe = {
id = "ripe",
hostname = "whois.ripe.net", preflag = "-B", postflag = "",
longname = {"ripe network coordination centre"},
fieldreq = nmap.registry.whois.fields_meta.rpsl,
smallnet_rule = nmap.registry.whois.fields_meta.rpsl.ob_netnum.inetnum,
redirects = {
{"ob_role", "role", "longname"},
{"ob_org", "orgname", "id"},
{"ob_org", "orgname", "longname"} },
output_short = {
{"ob_netnum", {"inetnum", "netname", "descr", "country"}},
{"ob_org", {"orgname", "organisation", "descr", "email"}} },
output_long = {
{"ob_netnum", {"inetnum", "netname", "descr", "country"}},
{"ob_org", {"orgname", "organisation", "descr", "email"}},
{"ob_role", {"role", "email"}},
{"ob_persn", {"person", "email"}} },
reg = "inetnum"
},
apnic = {
id = "apnic",
hostname = "whois.apnic.net", preflag = "", postflag = "",
longname = {"asia pacific network information centre"},
fieldreq = nmap.registry.whois.fields_meta.rpsl,
smallnet_rule = nmap.registry.whois.fields_meta.rpsl.ob_netnum.inetnum,
redirects = {
{"ob_netnum", "netname", "id"},
{"ob_org", "orgname", "longname"},
{"ob_role", "role", "longname"},
{"ob_netnum", "source", "id"} },
output_short = {
{"ob_netnum", {"inetnum", "netname", "descr", "country"}},
{"ob_org", {"orgname", "organisation", "descr", "email"}} },
output_long = {
{"ob_netnum", {"inetnum", "netname", "descr", "country"}},
{"ob_org", {"orgname", "organisation", "descr", "email"}},
{"ob_role", {"role", "email"}},
{"ob_persn", {"person", "email"}} },
reg = "inetnum"
},
lacnic = {
id = "lacnic",
hostname = "whois.lacnic.net", preflag = "", postflag = "",
longname =
{"latin american and caribbean ip address regional registry"},
fieldreq = nmap.registry.whois.fields_meta.lacnic,
smallnet_rule = nmap.registry.whois.fields_meta.lacnic.ob_netnum.inetnum,
redirects = {
{"ob_netnum", "ownerid", "id"},
{"ob_netnum", "source", "id"} },
output_short = {
{"ob_netnum",
{"inetnum", "owner", "ownerid", "responsible", "country"}} },
output_long = {
{"ob_netnum",
{"inetnum", "owner", "ownerid", "responsible", "country"}},
{"ob_persn", {"person", "email"}} },
reg = "inetnum"
},
afrinic = {
id = "afrinic",
hostname = "whois.afrinic.net", preflag = "-c", postflag = "",
longname = {
"african internet numbers registry",
"african network information center"
},
fieldreq = nmap.registry.whois.fields_meta.rpsl,
smallnet_rule = nmap.registry.whois.fields_meta.rpsl.ob_netnum.inetnum,
redirects = {
{"ob_org", "orgname", "longname"} },
output_short = {
{"ob_netnum", {"inetnum", "netname", "descr", "country"}},
{"ob_org", {"orgname", "organisation", "descr", "email"}} },
output_long = {
{"ob_netnum", {"inetnum", "netname", "descr", "country"}},
{"ob_org", {"orgname", "organisation", "descr", "email"}},
{"ob_role", {"role", "email"}},
{"ob_persn", {"person", "email"}} },
reg = "inetnum"
},--[[
jpnic = {
id = "jpnic",
hostname = "whois.nic.ad.jp", preflag = "", postflag = "/e",
longname = {"japan network information center"},
fieldreq = nmap.registry.whois.fields_meta.jpnic,
output_short = {
{"ob_netnum", {"inetnum", "netname", "orgname"}} },
reg = "inetnum" },--]]
iana = { -- not actually a db but required here
id = "iana", longname = {"internet assigned numbers authority"}
}
}
nmap.registry.whois.m_none = {
"\n%s*([Nn]o match found for[%s+]*$addr)",
"\n%s*([Uu]nallocated resource:%s*$addr)",
"\n%s*([Rr]eserved:%s*$addr)",
"\n[^\n]*([Nn]ot%s[Aa]ssigned[^\n]*$addr)",
"\n%s*(No match!!)%s*\n",
"(Invalid IP or CIDR block:%s*$addr)",
"\n%s*%%%s*(Unallocated and unassigned in LACNIC block:%s*$addr)",
}
nmap.registry.whois.m_err = {
"\n%s*([Aa]n [Ee]rror [Oo]ccured)%s*\n",
"\n[^\n]*([Ee][Rr][Rr][Oo][Rr][^\n]*)\n"
}
nmap.registry.whois.remote_assignments_files = {}
nmap.registry.whois.remote_assignments_files.ipv4 = {
{
remote_resource = "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt",
local_resource = "ipv4-address-space",
match_assignment = "^%s*([%.%d]+/%d+)",
match_service = "whois%.(%w+)%.net"
}
}
nmap.registry.whois.remote_assignments_files.ipv6 = {
--[[{
remote_resource = "http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.txt",
local_resource = "ipv6-address-space",
match_assignment = "^([:%x]+/%d+)",
match_service = "^[:%x]+/%d+%s*(%w+)"
},--]]
{
remote_resource = "https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.txt",
local_resource = "ipv6-unicast-address-assignments",
match_assignment = "^%s*([:%x]+/%d+)",
match_service = "whois%.(%w+)%.net"
}
}
local err
-- get and validate any --script-args
get_args()
-- mutex for each service
nmap.registry.whois.mutex = {}
for id, v in pairs( nmap.registry.whois.whoisdb ) do
if id ~= "iana" then
nmap.registry.whois.mutex[id] = nmap.mutex(nmap.registry.whois.whoisdb[id])
end
end
-- get IANA assignments lists
if nmap.registry.whois.using_local_assignments_file.ipv4
or nmap.registry.whois.using_local_assignments_file.ipv6 then
nmap.registry.whois.local_assignments_data = get_local_assignments_data()
for _, af in ipairs({"ipv4", "ipv6"}) do
if not nmap.registry.whois.local_assignments_data[af] then
nmap.registry.whois.using_local_assignments_file[af] = false
stdnse.debug1("Cannot use local assignments file for address family %s.", af)
end
end
end
nmap.registry.whois.init_done = true
end
---
-- Parses the command line arguments passed to the script with --script-args.
-- Sets flags in the registry which threads read to determine certain behaviours.
-- Permitted args are 'nofile' - Prevents use of a list of assignments to determine which service to query,
-- 'nofollow' - Prevents following redirects found in records,
-- 'arin', 'ripe', 'apnic', etc. - Service id's, as defined in the whoisdb table in the registry (see script_init).
function get_args()
if not nmap.registry.args then return end
local args = stdnse.get_script_args('whois.whodb')
if type( args ) ~= "string" or ( args == "" ) then return end
local t = {}
-- match words in args which may be whois dbs or other arguments
for db in string.gmatch( args, "%w+" ) do
if not nmap.registry.whois.whoisdb[db] then
if ( db == "nofollow" ) then
nmap.registry.whois.nofollow = true
elseif ( db == "nocache" ) then
nmap.registry.whois.using_cache = false
elseif ( db == "nofile" ) then
nmap.registry.whois.using_local_assignments_file.ipv4 = false
nmap.registry.whois.using_local_assignments_file.ipv6 = false
end
elseif not ( string.match( table.concat( t, " " ), db ) ) then
-- we have a unique valid whois db
t[#t+1] = db
end
end
if ( #t > 0 ) then
-- "nofile" is implied by supplying custom whoisdb_default_order
nmap.registry.whois.using_local_assignments_file.ipv4 = false
nmap.registry.whois.using_local_assignments_file.ipv6 = false
stdnse.debug3("Not using local assignments data because custom whoisdb_default_order was supplied.")
end
if ( #t > 1 ) and nmap.registry.whois.nofollow then
-- using nofollow, we do not follow redirects and can only accept what we find as a record therefore we only accept the first db supplied
t = {t[1]}
stdnse.debug1("Too many args supplied with 'nofollow', only using %s.", t[1])
end
if ( #t > 0 ) then
nmap.registry.whois.whoisdb_default_order = t
stdnse.debug2("whoisdb_default_order: %s.", table.concat( t, " " ))
end
end
---
-- Makes IANA hosted assignments data available for lookups against that data. In more detail it:
-- Caches a local copy of remote assignments data if copies do not currently exist or are out-of-date.
-- Checks whether the cached copies require updating and performs update as required.
-- Parses the cached copies and populates a table of lookup data which is returned to the caller.
-- Sets a flag in the registry to prevent use of the lookup data in the event of an error.
-- @return Table of lookup data (or nil in case of an error).
-- @return Nil or error message in case of an error.
function get_local_assignments_data()
if not next( nmap.registry.whois.remote_assignments_files ) then
stdnse.debug1("Error in get_local_assignments_data: Remote resources not defined in remote_assignments_files registry key")
return nil
end
-- get the directory path where cached files will be stored.
local fetchfile = "nmap-services"
local directory_path, err = get_parentpath( fetchfile )
if err then
stdnse.debug1("Nmap.fetchfile() failed to get a path to %s: %s.", fetchfile, err)
return nil
end
local ret = {}
-- cache or update and parse each remote file for each address family
for address_family, t in pairs( nmap.registry.whois.remote_assignments_files ) do
for i, assignment_data_spec in ipairs( t ) do
local update_required, modified_date, entity_tag
-- do we have a cached file and does it need updating?
local file = directory_path .. assignment_data_spec.local_resource
local exists, readable, writable = file_stat(file)
if not exists and (readable and writable) then
update_required = true
elseif exists and readable then
update_required, modified_date, entity_tag = requires_updating( file )
if update_required and not writable then
update_required = false
readable = false
end
end
local file_content
-- read an existing and up-to-date file into file_content.
if readable and not update_required then
stdnse.debug2("%s was cached less than %s ago. Reading...", file, nmap.registry.whois.local_assignments_file_expiry)
file_content = read_from_file( file )
end
-- cache or update and then read into file_content
local http_response, write_success
if update_required then
http_response = ( conditional_download( assignment_data_spec.remote_resource, modified_date, entity_tag ) )
if not http_response or type( http_response.status ) ~= "number" then
stdnse.debug1("Failed whilst requesting %s.", assignment_data_spec.remote_resource)
elseif http_response.status == 200 then
-- prepend our file header
stdnse.debug2("Retrieved %s.", assignment_data_spec.remote_resource)
file_content = stringaux.strsplit( "\r?\n", http_response.body )
table.insert( file_content, 1, "** Do Not Alter This Line or The Following Line **" )
local hline = {}
hline[#hline+1] = "<" .. os.time() .. ">"
hline[#hline+1] = "<" .. http_response.header["last-modified"] .. ">"
if http_response.header.etag then
hline[#hline+1] = "<" .. http_response.header.etag .. ">"
end
table.insert( file_content, 2, table.concat( hline ) )
write_success, err = write_to_file( file, file_content )
if err then
stdnse.debug1("Error writing %s to %s: %s.", assignment_data_spec.remote_resource, file, err)
end
elseif http_response.status == 304 then
-- update our file header with a new timestamp
stdnse.debug1("%s is up-to-date.", file)
file_content = read_from_file( file )
file_content[2] = file_content[2]:gsub("^<[-+]?%d+>(.*)$", "<" .. os.time() .. ">%1")
write_success, err = write_to_file( file, file_content )
if err then
stdnse.debug1("Error writing to %s: %s.", file, err)
end
else
stdnse.debug1("HTTP %s whilst requesting %s.", http_response.status, assignment_data_spec.remote_resource)
end
end
if file_content then
-- Create a table for this address family (if there isn't one already).
if not ret[address_family] then ret[address_family] = {} end
-- Parse data and add to the table for this address family.
local t
t, err = parse_assignments( assignment_data_spec, file_content )
if #t == 0 or err then
-- good header, but bad file? Kill the file!
write_to_file( file, "" )
stdnse.debug1("Problem with the data in %s.", file)
else
for i, v in pairs( t ) do
ret[address_family][#ret[address_family]+1] = v
end
end
end
end -- file
end -- af
-- If we decide to use more than one assignments file for ipv6 we may need to sort the resultant parsed list so that sub-assignments appear
-- before their parent. This is expensive, but it's worth doing to ensure the lookup process returns the correct service.
-- table.sort( ret.ipv6, sort_assignments )
-- final check for an empty table which we'll convert to nil
for af, t in pairs( ret ) do
if #t == 0 then
ret[af] = nil
end
end
return ret
end
---
-- Uses <code>nmap.fetchfile</code> to get the path of the parent directory of the supplied Nmap datafile SCRIPT_NAME.
-- @param fname String - Filename of an Nmap datafile.
-- @return String - The filepath of the directory containing the supplied SCRIPT_NAME including the trailing slash (or nil in case of an error).
-- @return Nil or error message in case of an error.
function get_parentpath( fname )
if type( fname ) ~= "string" or fname == "" then
return nil, "Error in get_parentpath: Expected fname as a string."
end
local path = nmap.fetchfile( fname )
if not path then
return nil, "Error in get_parentpath: Call to fetchfile() failed."
end
path = path:sub( 1, path:len() - fname:len() )
return path
end
--;
-- Tests a file path to determine whether it exists, can be read from and can be written to.
-- An attempt is made to create the file if it does not exist and no attempt is made to remove
-- it if creation succeeded.
-- @param path Path to a file.
-- @return Boolean True if exists, False if not (at time of calling), nil if determination failed.
-- @return Boolean True if readable, False if not, nil if determination failed.
-- @return Boolean True if writable, False if not, nil if determination failed.
function file_stat( path )
local exists, readable, writable
local f, err = io.open(path, 'r')
if f then
f:close()
exists = true
readable = true
f, err = io.open(path, 'a')
if f then
f:close()
writable = true
elseif err:match('Permission denied') then
writable = false
end
elseif err:match('No such file or directory') then
exists = false
f, err = io.open(path, 'w')
if f then
f:close()
writable = true
f, err = io.open(path, 'r')
if f then
f:close()
readable = true
elseif err:match('Permission denied') then
readable = false
end
elseif err:match('Permission denied') then
writable = false
end
elseif err:match('Permission denied') then
exists = true -- probably
readable = false
end
return exists, readable, writable
end
---
-- Checks whether a cached file requires updating via HTTP.
-- The cached file should contain the following string on the second line: "<timestamp><Last-Modified-Date><Entity-Tag>".
-- where timestamp is number of seconds since epoch at the time the file was last cached and
-- Last-Modified-Date is an HTTP compliant date sting returned by an HTTP server at the time the file was last cached and
-- Entity-Tag is an HTTP Etag returned by an HTTP server at the time the file was last cached.
-- @param file Filepath of the cached file.
-- @return Boolean False if file does not require updating, true otherwise.
-- @return nil or a valid modified-date (string).
-- @return nil or a valid entity_tag (string).
-- @see file_is_expired
function requires_updating( file )
local last_cached, mod, etag, has_expired
local f, err, _ = io.open( file, "r" )
if not f then return true, nil end
local _ = f:read()
local stamp = f:read()
f:close()
if not stamp then return true, nil end
last_cached, mod, etag = stamp:match( "^<([^>]*)><([^>]*)><?([^>]*)>?$" )
if (etag == "") then etag = nil end
if not ( last_cached or mod or etag ) then return true, nil end
if not (
mod:match( "%a%a%a,%s%d%d%s%a%a%a%s%d%d%d%d%s%d%d:%d%d:%d%d%s%u%u%u" )
or
mod:match( "%a*day,%d%d-%a%a%a-%d%d%s%d%d:%d%d:%d%d%s%u%u%u" )
or
mod:match( "%a%a%a%s%a%a%a%s%d?%d%s%d%d:%d%d:%d%d%s%d%d%d%d" )
) then
mod = nil
end
if not etag and not mod then
return true, nil
end
-- Check whether the file was cached within local_assignments_file_expiry (registry value)
has_expired = file_is_expired( last_cached )
return has_expired, mod, etag
end
---
-- Reads a file, line by line, into a table.
-- @param file String representing a filepath.
-- @return Table (array-style) of lines read from the file (or nil in case of an error).
-- @return Nil or error message in case of an error.
function read_from_file( file )
if type( file ) ~= "string" or file == "" then
return nil, "Error in read_from_file: Expected file as a string."
end
local f, err, _ = io.open( file, "r" )
if not f then
stdnse.debug1("Error opening %s for reading: %s", file, err)
return nil, err
end
local line, ret = nil, {}
while true do
line = f:read()
if not line then break end
ret[#ret+1] = line
end
f:close()
return ret
end
---
-- Performs either an HTTP Conditional GET request if mod_date or e_tag is passed, or a plain GET request otherwise.
-- Will follow a single redirect for the remote resource.
-- @param url String representing the full URL of the remote resource.
-- @param mod_date String representing an HTTP date.
-- @param e_tag String representing an HTTP entity tag.
-- @return Table as per <code>http.request</code> or <code>nil</code> in case of a non-HTTP error.
-- @return Nil or error message in case of an error.
-- @see http.request
function conditional_download( url, mod_date, e_tag )
if type( url ) ~= "string" or url == "" then
return nil, "Error in conditional_download: Expected url as a string."
end
-- mod_date and e_tag allowed to be nil or a non-empty string
if mod_date and ( type( mod_date ) ~= "string" or mod_date == "" ) then
return nil, "Error in conditional_download: Expected mod_date as nil or as a non-empty string."
end
if e_tag and ( type( e_tag ) ~= "string" or e_tag == "" ) then
return nil, "Error in conditional_download: Expected e_tag as nil or as a non-empty string."
end
-- use e_tag in preference to mod_date
local request_options = {}
request_options.header = {}
if e_tag then
request_options.header["If-None-Match"] = e_tag
elseif mod_date then
request_options.header["If-Modified-Since"] = mod_date
end
if not next( request_options.header ) then request_options = nil end
local request_response = http.get_url( url, request_options )
-- follow one redirection
if request_response.status ~= 304
and ( tostring( request_response.status ):match( "30%d" )
and type( request_response.header.location ) == "string"
and request_response.header.location ~= "" ) then
stdnse.debug2("HTTP Status:%d New Location: %s.", request_response.status, request_response.header.location)
request_response = http.get_url( request_response.header.location, request_options )
end
return request_response
end
---
-- Writes the supplied content to file.
-- @param file String representing a filepath (if it exists it will be overwritten).
-- @param content String or table of data to write to file. Empty string or table is permitted.
-- A table will be written to file with each element of the table on a new line.
-- @return Boolean True on success or nil in case of an error.
-- @return Nil or error message in case of an error.
function write_to_file( file, content )
if type( file ) ~= "string" or file == "" then
return nil, "Error in write_to_file: Expected file as a string."
end
if type( content ) ~= "string" and type( content ) ~= "table" then
return nil, "Error in write_to_file: Expected content as a table or string."
end
local f, err, _ = io.open( file, "w" )
if not f then
stdnse.debug1("Error opening %s for writing: %s.", file, err)
return nil, err
end
if ( type( content ) == "table" ) then
content = table.concat( content, "\n" ) or ""
end
f:write( content )
f:close()
return true
end
---
-- Converts raw data from an assignments file into a form optimised for lookups against that data.
-- @param address_family_spec Table (assoc. array) containing patterns for extracting data.
-- @param table_of_lines Table containing a line of data per table element.
-- @return Table - each element of the form { range = { first = data, last = data }, service = data } (or nil in case of an error).
-- @return Nil or error message in case of an error.
function parse_assignments( address_family_spec, table_of_lines )
if #table_of_lines < 1 then
return nil, "Error in parse_assignments: Expected table_of_lines as a non-empty table."
end
local mnetwork = address_family_spec.match_assignment
local mservice = address_family_spec.match_service
local ret, net, svc = {}
for i, line in ipairs( table_of_lines ) do
net = line:match( mnetwork )
if net then
svc = line:match( mservice )
if svc then svc = string.lower( svc ) end
if not svc or ( svc == "iana" ) then
svc = "arin"
elseif not nmap.registry.whois.whoisdb[svc] then
svc = "arin"
end
-- optimise the data
local first_ip, last_ip, err = ipOps.get_ips_from_range( net )
if not err then
local t = { first = first_ip, last = last_ip }
ret[#ret+1] = { range = t, service = svc }
end
end
end
return ret
end
---
-- Checks the age of the supplied timestamp and compares it to the value of local_assignments_file_expiry.
-- @param time_string String representing a timestamp (seconds since epoch).
-- @return Boolean True if the period elapsed since the timestamp is longer than the value of local_assignments_file_expiry
-- also returns true if the parameter is not of the expected type, otherwise returns false.
-- @see sane_expiry_period
function file_is_expired( time_string )
if type( time_string ) ~= "string" or time_string == "" then return true end
local allowed_age = nmap.registry.whois.local_assignments_file_expiry
if allowed_age == "" then return true end
local cached_time = tonumber(time_string)
if not cached_time then return true end
local now_time = os.time()
if now_time < cached_time then return true end
if now_time > ( cached_time + sane_expiry_period( allowed_age ) ) then return true end
return false
end
---
-- Checks that the supplied string represents a period of time between 0 and 7 days.
-- @param period String representing a period.
-- @return Number representing the supplied period or a failsafe period in whole seconds.
-- @see get_period
function sane_expiry_period( period )
local sane_default_expiry = 57600 -- 16h
local max_expiry = 604800 -- 7d
period = get_period( period )
if not period or ( period == "" ) then return sane_default_expiry end
if period < max_expiry then return period end
return max_expiry
end
---
-- Converts a string representing a period of time made up of a quantity and a unit such as "24h"
-- into whole seconds.
-- @param period String combining a quantity and a unit of time.
-- Acceptable units are days (D or d), hours (H or h), minutes (M or m) and seconds (S or s).
-- If a unit is not supplied or not one of the above acceptable units, it is assumed to be seconds.
-- Negative or fractional periods are permitted.
-- @return Number representing the supplied period in whole seconds (or nil in case of an error).
function get_period( period )
if type( period ) ~= 'string' or ( period == "" ) then return nil end
local quant, unit = period:match( "(-?+?%d*%.?%d*)([SsMmHhDd]?)" )
if not ( tonumber( quant ) ) then return nil end
if ( string.lower( unit ) == "m" ) then
unit = 60
elseif ( string.lower( unit ) == "h" ) then
unit = 3600
elseif ( string.lower( unit ) == "d" ) then
unit = 86400
else
-- seconds and catch all
unit = 1
end
return ( math.modf( quant * unit ) )
end
--
-- Passed to <code>table.sort</code>, will sort a table of IP assignments such that sub-assignments appear before their parent.
-- This function is not in use at the moment (see get_local_assignments_data) and will not appear in nse documentation.
-- @param first Table { range = { first = IP_addr, last = IP_addr } }
-- @param second Table { range = { first = IP_addr, last = IP_addr } }
-- @return Boolean True if the tables are already in the correct order, otherwise false.
function sort_assignments( first, second )
local f_lo, f_hi = first.range.first, first.range.last
local s_lo, s_hi = second.range.first, second.range.last
if ipOps.compare_ip( f_lo, "gt", s_lo ) then return false end
if ipOps.compare_ip( f_lo, "le", s_lo ) and ipOps.compare_ip( f_hi, "ge", s_hi ) then
return false
end
return true
end
Related
nmap
nmap
broadcast-bjnp-discover NSE Script
2012-08-05 18:55:40
informix-tables NSE Script
2010-08-19 22:47:52
broadcast-pc-anywhere NSE Script
2011-12-18 09:33:38
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Related for NMAP:WHOIS-IP.NSE