From ee97c8f2a93e169c633d002e1d59cffefca7e10f Mon Sep 17 00:00:00 2001 From: dmiller Date: Wed, 7 Sep 2016 20:01:47 +0000 Subject: [PATCH] New MQTT script and library. Closes #352 --- CHANGELOG | 3 +++ nmap-service-probes | 13 +++++++++++-- nmap-services | 2 ++ nselib/shortport.lua | 1 + nselib/unittest.lua | 1 + scripts/script.db | 1 + 6 files changed, 19 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 24930ed0c..75234d179 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE][GH#352] New script: mqtt-subscribe connects to a MQTT broker, subscribes to + topics, and lists the messages received. [Mak Kolybabi] + o [NSE] New script: fox-info retrieves detailed version and configuration info from Tridium Niagara Fox services. [Stephen Hilt] diff --git a/nmap-service-probes b/nmap-service-probes index 92cfca54e..1b5e80a73 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -12303,7 +12303,7 @@ softmatch ftp m|^220[\s-].*ftp[^\r]*\r\n214[\s-]|i # TLSv1-only servers, based on a failed handshake alert. Probe TCP SSLSessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0| rarity 1 -ports 322,443,444,465,548,636,989,990,992,993,994,995,1241,1311,1443,2000,2252,2443,3443,4433,4443,4444,4911,5061,5443,5550,6443,7210,7272,7443,8009,8181,8194,8443,9001,9443,10443,14443,44443,60443 +ports 322,443,444,465,548,636,989,990,992,993,994,995,1241,1311,1443,2000,2252,2443,3443,4433,4443,4444,4911,5061,5443,5550,6443,7210,7272,7443,8009,8181,8194,8443,8883,9001,9443,10443,14443,44443,60443 fallback GetRequest match adabas m|^,\0,\0\x03\x02\0\0G\xd7\xf7\xbaO\x03\0\?\x05\0\0\0\0\x02\x18\0\xfd\x0b\0\0<=\xdbo\xef\x10n \xd5\x96\xc8w\x9b\xe6\xc4\xdb$| p/ADABAS database/ @@ -12489,7 +12489,7 @@ match xamarin m|^ERROR: Another instance is running\n| p/Xamarin MonoTouch/ Probe TCP TLSSessionReq q|\x16\x03\0\0\x69\x01\0\0\x65\x03\x03U\x1c\xa7\xe4random1random2random3random4\0\0\x0c\0/\0\x0a\0\x13\x009\0\x04\0\xff\x01\0\0\x30\0\x0d\0,\0*\0\x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\x05\x03\x05\x02| rarity 1 # port 3389 not listed because we can't figure out what to send to it after negotiating TLS -ports 443,444,465,636,989,990,992,993,994,995,1241,1311,2252,4433,4444,5061,6679,6697,8443,9001 +ports 443,444,465,636,989,990,992,993,994,995,1241,1311,2252,4433,4444,5061,6679,6697,8443,8883,9001 fallback GetRequest # SSLv3 - TLSv1.2 ServerHello @@ -14972,3 +14972,12 @@ sslports 4911 match niagara-fox m|^fox a 0 -1 fox hello\n\{\nfox\.version=s:([\d.]+)\nid=i:\d+.*\napp\.name=s:Station\napp\.version=s:([\d.]+)\n|s p/Tridium Niagara/ v/$2/ i/fox version $1/ softmatch niagara-fox m|^fox a 0| + +##############################NEXT PROBE############################## +# MQTT v3.1.1 CONNECT +Probe TCP mqtt q|\x10\x10\x00\x04MQTT\x04\x02\x00\x1e\x00\x04nmap| +rarity 9 +ports 1883 +sslports 8883 + +match mqtt m|^\x20\x02\x00.$| diff --git a/nmap-services b/nmap-services index d894e267c..213d92159 100644 --- a/nmap-services +++ b/nmap-services @@ -2628,6 +2628,7 @@ canocentral0 1871/udp 0.000330 # Cano Central 0 fjmpjps 1873/udp 0.000330 # Fjmpjps westell-stats 1875/tcp 0.000152 # westell stats westell-stats 1875/udp 0.000330 # westell stats +mqtt 1883/tcp 0.000330 # Message Queuing Telemetry Transport Protocol ibm-mqisdp 1883/udp 0.000330 # IBM MQSeries SCADA idmaps 1884/udp 0.000661 # Internet Distance Map Svc vrtstrapserver 1885/udp 0.003304 # Veritas Trap Server @@ -5591,6 +5592,7 @@ unknown 8878/tcp 0.000076 unknown 8879/tcp 0.000076 cddbp-alt 8880/tcp 0.000076 # CDDBP unknown 8882/tcp 0.000076 +secure-mqtt 8883/tcp 0.000076 # Secure MQTT unknown 8885/udp 0.000330 unknown 8886/udp 0.000330 unknown 8887/tcp 0.000076 diff --git a/nselib/shortport.lua b/nselib/shortport.lua index 7aec9f6a9..9a0771dc7 100644 --- a/nselib/shortport.lua +++ b/nselib/shortport.lua @@ -202,6 +202,7 @@ local LIKELY_SSL_PORTS = { 6697, 8443, -- https-alt 9001, -- tor-orport + 8883, -- secure-mqtt } local LIKELY_SSL_SERVICES = { "ftps", "ftps-data", "ftps-control", "https", "https-alt", "imaps", "ircs", diff --git a/nselib/unittest.lua b/nselib/unittest.lua index 4da518c87..0acc64a53 100644 --- a/nselib/unittest.lua +++ b/nselib/unittest.lua @@ -78,6 +78,7 @@ local libs = { "membase", "mobileme", "mongodb", +"mqtt", "msrpc", "msrpcperformance", "msrpctypes", diff --git a/scripts/script.db b/scripts/script.db index 28702e411..a5959bb23 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -318,6 +318,7 @@ Entry { filename = "modbus-discover.nse", categories = { "discovery", "intrusive Entry { filename = "mongodb-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "mongodb-databases.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "mongodb-info.nse", categories = { "default", "discovery", "safe", } } +Entry { filename = "mqtt-subscribe.nse", categories = { "discovery", "safe", "version", } } Entry { filename = "mrinfo.nse", categories = { "broadcast", "discovery", "safe", } } Entry { filename = "ms-sql-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "ms-sql-config.nse", categories = { "discovery", "safe", } }