1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
|
local datetime = require "datetime"
local stdnse = require "stdnse"
local shortport = require "shortport"
local comm = require "comm"
local string = require "string"
local stringaux = require "stringaux"
local table = require "table"
description = [[
OpenWebNet is a communications protocol developed by Bticino since 2000.
Retrieves device identifying information and number of connected devices.
References:
* https://www.myopen-legrandgroup.com/solution-gallery/openwebnet/
* http://www.pimyhome.org/wiki/index.php/OWN_OpenWebNet_Language_Reference
]]
---
-- @usage
-- nmap --script openwebnet-discovery
--
-- @output
-- | openwebnet-discover:
-- | IP Address: 192.168.200.35
-- | Net Mask: 255.255.255.0
-- | MAC Address: 00:03:50:01:d3:11
-- | Device Type: F453AV
-- | Firmware Version: 3.0.14
-- | Uptime: 12d9h42m1s
-- | Date and Time: 4-07-2017T19:17:27
-- | Kernel Version: 2.3.8
-- | Distribution Version: 3.0.1
-- | Lighting: 115
-- | Automation: 15
-- |_ Burglar Alarm: 12
--
-- @xmloutput
-- <elem key="IP Address">192.168.200.35</elem>
-- <elem key="Net Mask">255.255.255.0</elem>
-- <elem key="MAC Address">00:03:50:01:d3:11</elem>
-- <elem key="Device Type">F453AV</elem>
-- <elem key="Firmware Version">3.0.14</elem>
-- <elem key="Uptime">12d9h42m1s</elem>
-- <elem key="Date and Time">4-07-2017T19:17:27</elem>
-- <elem key="Kernel Version">2.3.8</elem>
-- <elem key="Distribution Version">3.0.1</elem>
-- <elem key="Lighting">115</elem>
-- <elem key="Automation">15</elem>
-- <elem key="Burglar Alarm">12</elem>
author = "Rewanth Cool"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}
portrule = shortport.port_or_service(20000, "openwebnet")
local device = {
[2] = "MHServer",
[4] = "MH200",
[6] = "F452",
[7] = "F452V",
[11] = "MHServer2",
[12] = "F453AV",
[13] = "H4684",
[15] = "F427 (Gateway Open-KNX)",
[16] = "F453",
[23] = "H4684",
[27] = "L4686SDK",
[44] = "MH200N",
[51] = "F454",
[200] = "F454 (new?)"
}
local who = {
[0] = "Scenarios",
[1] = "Lighting",
[2] = "Automation",
[3] = "Power Management",
[4] = "Heating",
[5] = "Burglar Alarm",
[6] = "Door Entry System",
[7] = "Multimedia",
[9] = "Auxiliary",
[13] = "Device Communication",
[14] = "Light+shutters actuators lock",
[15] = "CEN",
[16] = "Sound System",
[17] = "Scenario Programming",
[18] = "Energy Management",
[24] = "Lighting Management",
[25] = "CEN plus",
[1000] = "Diagnostic",
[1001] = "Automation Diagnostic",
[1004] = "Heating Diagnostic",
[1008] = "Door Entry System Diagnostic",
[1013] = "Device Diagnostic"
}
local device_dimension = {
["Time"] = "0",
["Date"] = "1",
["IP Address"] = "10",
["Net Mask"] = "11",
["MAC Address"] = "12",
["Device Type"] = "15",
["Firmware Version"] = "16",
["Hardware Version"] = "17",
["Uptime"] = "19",
["Micro Version"] = "20",
["Date and Time"] = "22",
["Kernel Version"] = "23",
["Distribution Version"] = "24",
["Gateway IP address"] = "50",
["DNS IP address 1"] = "51",
["DNS IP address 2"] = "52"
}
local ACK = "*#*1##"
local NACK = "*#*0##"
-- Initiates a socket connection
-- Returns the socket and error message
local function get_socket(host, port, request)
local sd, response, early_resp = comm.opencon(host, port, request, {recv_before=true, request_timeout=10000})
if sd == nil then
stdnse.debug("Socket connection error.")
return nil, response
end
if not response then
stdnse.debug("Poor internet connection or no response.")
return nil, response
end
if response == NACK then
stdnse.debug("Received a negative ACK as response.")
return nil, response
end
return sd, nil
end
local function get_response(sd, request)
local res = {}
local status, data
sd:send(request)
repeat
status, data = sd:receive_buf("##", true)
if status == nil then
stdnse.debug("Error: " .. data)
if data == "TIMEOUT" then
-- Avoids false results by capturing NACK after TIMEOUT occurred.
status, data = sd:receive_buf("##", true)
break
else
-- Captures other kind of errors like EOF
sd:close()
return res
end
end
if status and data ~= ACK then
table.insert(res, data)
end
if data == ACK then
break
end
-- If response is NACK, it means the request method is not supported
if data == NACK then
res = nil
break
end
until not status
return res
end
local function format_dimensions(res)
if res["Date and Time"] then
local params = {
"hour", "min", "sec", "msec", "dayOfWeek", "day", "month", "year"
}
local values = {}
for counter, val in ipairs(stringaux.strsplit("%.%s*", res["Date and Time"])) do
values[ params[counter] ] = val
end
res["Date and Time"] = datetime.format_timestamp(values)
end
if res["Device Type"] then
res["Device Type"] = device[ tonumber( res["Device Type"] ) ]
end
if res["MAC Address"] then
res["MAC Address"] = string.gsub(res["MAC Address"], "(%d+)(%.?)", function(num, separator)
if separator == "." then
return string.format("%02x:", num)
else
return string.format("%02x", num)
end
end
)
end
if res["Uptime"] then
local t = {}
local units = {
"d", "h", "m", "s"
}
for counter, v in ipairs(stringaux.strsplit("%.%s*", res["Uptime"])) do
table.insert(t, v .. units[counter])
end
res["Uptime"] = table.concat(t, "")
end
return res
end
action = function(host, port)
local output = stdnse.output_table()
local sd, err = get_socket(host, port, nil)
-- Socket connection creation failed
if sd == nil then
return err
end
-- Fetching list of dimensions of a device
for _, device in ipairs({"IP Address", "Net Mask", "MAC Address", "Device Type", "Firmware Version", "Uptime", "Date and Time", "Kernel Version", "Distribution Version"}) do
local head = "*#13**"
local tail = "##"
stdnse.debug("Fetching " .. device)
local res = get_response(sd, head .. device_dimension[device] .. tail)
-- Extracts substring from the result
-- Ex:
-- Request - *#13**16##
-- Response - *#13**16*3*0*14##
-- Trimmed Output - 3*0*14
if res and next(res) then
local regex = string.gsub(head, "*", "%%*") .. device_dimension[device] .. "%*" .."(.+)" .. tail
local tempRes = string.match(res[1], regex)
if tempRes then
output[device] = string.gsub(tempRes, "*", ".")
end
end
end
-- Format the output based on dimension
output = format_dimensions(output)
-- Fetching list of each device
for i = 1, 6 do
stdnse.debug("Fetching the list of " .. who[i] .. " devices.")
local res = get_response(sd, "*#" .. i .. "*0##")
if res and #res > 0 then
output[who[i]] = #res
end
end
if #output > 0 then
return output
else
return nil
end
end
|
