Nmap wdb-version NSE Script
This page contains detailed information about how to use the wdb-version NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
| Select: |
|---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/wdb-version.nse
Script categories: default, safe, version, discovery, vuln
Target service / protocol: wdbrpc, udp
Target network port(s): 17185
List of CVEs: -
Script Description
The wdb-version.nse script detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents.
Wind DeBug is a SunRPC-type service that is enabled by default on many devices that use the popular VxWorks real-time embedded operating system. H.D. Moore of Metasploit has identified several security vulnerabilities and design flaws with the service, including weakly-hashed passwords and raw memory dumping.
See also:
Wdb-version NSE Script Arguments
The wdb-version.nse script does not have any arguments.
Wdb-version NSE Script Example Usage
Here's an example of how to use the wdb-version.nse script:
nmap -sU -p 17185 --script wdb-version <target>
Wdb-version NSE Script Example Output
Here's a sample output from the wdb-version.nse script:
17185/udp open wdb Wind DeBug Agent 2.0
| wdb-version:
| VULNERABLE: Wind River Systems VxWorks debug service enabled. See http://www.kb.cert.org/vuls/id/362332
| Agent version: 2.0
| VxWorks version: VxWorks5.4.2
| Board Support Package: PCD ARM940T REV 1
| Boot line: host:vxWorks.z
Wdb-version NSE Script Example XML Output
Here's a sample XML output from the wdb-version.nse script produced by providing the -oX <file> Nmap option:
<elem>VULNERABLE: Wind River Systems VxWorks debug service enabled. See http://www.kb.cert.org/vuls/id/362332</elem>
<elem key="Agent version">2.0</elem>
<elem key="VxWorks version">5.4</elem>
<elem key="Board Support Package">Alcatel CMM MPC8245/100</elem>
<elem key="Boot line">lanswitchCmm:</elem>
Author
- Daniel Miller
References
- https://nmap.org/nsedoc/scripts/wdb-version.html
- https://github.com/nmap/nmap/tree/master/scripts/wdb-version.nse
- http://www.kb.cert.org/vuls/id/362332
- http://www.kb.cert.org/vuls/id/362332</elem>
- http://www.vxdev.com/docs/vx55man/tornado-api/wdbpcl/wdb.html
- http://www.verysource.com/code/2817990_1/wdb.h.html
- https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/wdbrpc.rb
See Also
Visit Nmap NSE Library for more scripts.
The wdb-version.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
Error from decode_reply: %x
Here is a relevant code snippet related to the "Error from decode_reply: %x" error message:
95: pos, _ = rpc.Util.unmarshall_uint32(data, pos)
96: pos, _ = rpc.Util.unmarshall_uint32(data, pos)
97: pos, wdberr = rpc.Util.unmarshall_uint32(data, pos)
98: info["error"] = wdberr & 0xc0000000
99: if info["error"] ~= 0x00000000 then
100: stdnse.debug1("Error from decode_reply: %x", info["error"])
101: return nil, info
102: end
103: pos, len = rpc.Util.unmarshall_uint32(data, pos)
104: if len ~= 0 then
105: pos, info["agent_ver"] = rpc.Util.unmarshall_vopaque(len, data, pos)
Failed to send request
Here is a relevant code snippet related to the "Failed to send request" error message:
161: if not status then
162: return stdnse.format_output(false, err)
163: end
164: local packet = request(comm, WDB_Procedure["WDB_TARGET_CONNECT"], (">I4I4I4"):pack(2, 0, 0))
165: if not comm:SendPacket(packet) then
166: return stdnse.format_output(false, "Failed to send request")
167: end
168:
169: local status, data = comm:ReceivePacket()
170: if not status then
171: --return stdnse.format_output(false, "Failed to read data")
Failed to decode header
Here is a relevant code snippet related to the "Failed to decode header" error message:
173: end
174: nmap.set_port_state(host, port, "open")
175:
176: local pos, header = comm:DecodeHeader(data, 1)
177: if not header then
178: return stdnse.format_output(false, "Failed to decode header")
179: end
180:
181: if pos == #data then
182: return stdnse.format_output(false, "No WDB data in reply")
183: end
No WDB data in reply
Here is a relevant code snippet related to the "No WDB data in reply" error message:
177: if not header then
178: return stdnse.format_output(false, "Failed to decode header")
179: end
180:
181: if pos == #data then
182: return stdnse.format_output(false, "No WDB data in reply")
183: end
184:
185: local pos, info = decode_reply(data, pos)
186: if not pos then
187: return stdnse.format_output(false, "WDB error: "..info.error)
WDB error:
Here is a relevant code snippet related to the "WDB error: " error message:
182: return stdnse.format_output(false, "No WDB data in reply")
183: end
184:
185: local pos, info = decode_reply(data, pos)
186: if not pos then
187: return stdnse.format_output(false, "WDB error: "..info.error)
188: end
189: port.version.name = "wdb"
190: port.version.name_confidence = 10
191: port.version.product = "Wind DeBug Agent"
192: port.version.version = stripnull(info["agent_ver"])
Failed to send request
Here is a relevant code snippet related to the "Failed to send request" error message:
195: end
196: nmap.set_port_version(host, port)
197: -- Clean up (some agents will continue to send data until we disconnect)
198: packet = request(comm, WDB_Procedure["WDB_TARGET_DISCONNECT"], (">I4I4I4"):pack(2, 0, 0))
199: if not comm:SendPacket(packet) then
200: return stdnse.format_output(false, "Failed to send request")
201: end
202:
203: local o = stdnse.output_table()
204: table.insert(o, "VULNERABLE: Wind River Systems VxWorks debug service enabled. See http://www.kb.cert.org/vuls/id/362332")
205: if info.agent_ver then
Version
This page has been created based on Nmap version 7.92.
Go back to menu.
