OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	08/07/2020 12:36:00 PM	rwxr-xr-x
📄 afp.lua	71.92 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ajp.lua	16.69 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 amqp.lua	10.5 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 anyconnect.lua	4.45 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 asn1.lua	14.57 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 base32.lua	7.33 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 base64.lua	5.67 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 bin.lua	12.89 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 bit.lua	2.43 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 bitcoin.lua	16.99 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 bits.lua	1.82 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 bittorrent.lua	40.77 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 bjnp.lua	9.45 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 brute.lua	50.04 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 cassandra.lua	5.78 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 citrixxml.lua	16 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 coap.lua	76.24 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 comm.lua	10.75 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 creds.lua	18.22 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 cvs.lua	3.13 KB	04/16/2018 01:11:39 AM	rw-r--r--
📁 data	-	08/07/2020 12:36:00 PM	rwxr-xr-x
📄 datafiles.lua	11.05 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 datetime.lua	1.16 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 dhcp.lua	29.17 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 dhcp6.lua	19.87 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 dns.lua	51.44 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 dnsbl.lua	19.02 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 dnssd.lua	12.57 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 drda.lua	24.2 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 eap.lua	7.64 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 eigrp.lua	14.47 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 formulas.lua	5.35 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ftp.lua	9.03 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 geoip.lua	1.71 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 giop.lua	18.44 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 gps.lua	3.05 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 http.lua	105.81 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 httpspider.lua	36.15 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 iax2.lua	9.6 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ike.lua	15.02 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 imap.lua	9.59 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 informix.lua	39.76 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ipOps.lua	26.92 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ipmi.lua	10.02 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ipp.lua	12.54 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 irc.lua	757 bytes	04/16/2018 01:11:39 AM	rw-r--r--
📄 iscsi.lua	21.45 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 isns.lua	15.34 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 jdwp.lua	43.57 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 json.lua	11.65 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ldap.lua	31.86 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 lfs.luadoc	1.68 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 libssh2-utility.lua	4.39 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 libssh2.luadoc	4.75 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 listop.lua	4.66 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 lpeg-utility.lua	5.64 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 lpeg.luadoc	351 bytes	04/16/2018 01:11:39 AM	rw-r--r--
📄 ls.lua	10.96 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 match.lua	2.05 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 membase.lua	9.88 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 mobileme.lua	8.46 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 mongodb.lua	21.29 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 mqtt.lua	28.95 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 msrpc.lua	179.93 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 msrpcperformance.lua	29.72 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 msrpctypes.lua	167.61 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 mssql.lua	110.87 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 multicast.lua	6.1 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 mysql.lua	17.09 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 natpmp.lua	5.04 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ncp.lua	36 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ndmp.lua	11.58 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 netbios.lua	13.9 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 nmap.luadoc	40.34 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 nrpc.lua	4.42 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 nsedebug.lua	3.49 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 omp2.lua	4.77 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 openssl.luadoc	7.08 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ospf.lua	15.29 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 packet.lua	36.65 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 pcre.luadoc	6.79 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 pgsql.lua	20.61 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 pop3.lua	5.7 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 pppoe.lua	29.95 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 proxy.lua	12.04 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 rdp.lua	11.05 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 re.lua	8.22 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 redis.lua	3.59 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 rmi.lua	47.89 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 rpc.lua	106.22 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 rpcap.lua	11.19 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 rsync.lua	5.19 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 rtsp.lua	8.67 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 sasl.lua	16.38 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 shortport.lua	8.01 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 sip.lua	30.56 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 slaxml.lua	17.9 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 smb.lua	175.85 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 smb2.lua	16.32 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 smbauth.lua	37.53 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 smtp.lua	19.81 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 snmp.lua	15.99 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 socks.lua	8.26 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 srvloc.lua	12.25 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ssh1.lua	8.88 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 ssh2.lua	11.88 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 sslcert.lua	33.34 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 sslv2.lua	9.63 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 stdnse.lua	45.93 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 strbuf.lua	4.52 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 strict.lua	2.53 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 stun.lua	11.51 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 tab.lua	3.35 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 target.lua	3.93 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 tftp.lua	9.38 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 tls.lua	56.16 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 tn3270.lua	43.75 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 tns.lua	64.17 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 unicode.lua	14.32 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 unittest.lua	12.33 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 unpwdb.lua	10.08 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 upnp.lua	11.18 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 url.lua	12.09 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 versant.lua	8.6 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 vnc.lua	23.3 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 vulns.lua	76.29 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 vuzedht.lua	16.62 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 wsdd.lua	12.03 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 xdmcp.lua	11.9 KB	04/16/2018 01:11:39 AM	rw-r--r--
📄 xmpp.lua	15.88 KB	04/16/2018 01:11:39 AM	rw-r--r--

Editing: ipmi.lua

---
-- A module implementing IPMI protocol (the code is a porting of the Metasploit ipmi scanner:
-- https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/scanner/ipmi)
--
-- @class module
-- @name ipmi
-- @author "Claudiu Perta <claudiu.perta@gmail.com>"
local bin = require "bin"
local bit = require "bit"
local math = require "math"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"

_ENV = stdnse.module("ipmi", stdnse.seeall)

local HAVE_SSL, openssl = pcall(require,"openssl")

PAYLOADS = {
  ["IPMI"] = 0,
  ["PAYLOAD_SOL"]  = 1,
  ["RMCPPLUSOPEN_REQ"] = 0x10,
  ["RMCPPLUSOPEN_REP"] = 0x11,
  ["RAKP1"] = 0x12,
  ["RAKP2"] = 0x13,
  ["RAKP3"] = 0x14,
  ["RAKP4"] = 0x15,
}

RMCP_ERRORS = {
  [1] = "Insufficient resources to create new session \
         (wait for existing sessions to timeout)",

-- Shouldn't occur.
  [2] = "Invalid Session ID",

-- Shouldn't occur.
  [3] = "Invalid payload type",

-- If these happen, we need to enhance our mechanism for detecting
  -- supported auth algorithms.
  [4] = "Invalid authentication algorithm",
  [5] = "Invalid integrity algorithm",

[6] = "No matching authentication payload",
  [7] = "No matching integrity payload",

-- This suggests the session was timed out while trying to negotiate,
  -- shouldn't happen.
  [8] = "Inactive Session ID",

[9] = "Invalid role",
  [0xa] = "Unauthorised role or privilege level requested",
  [0xb] = "Insufficient resources to create a session at the requested role",
  [0xc] = "Invalid username length",
  [0xd] = "Unauthorized name",
  [0xe] = "Unauthorized GUID",
  [0xf] = "Invalid integrity check value",
  [0x10] = "Invalid confidentiality algorithm",
  [0x11] = "No cipher suite match with proposed security algorithms",

-- Never observed, most likely a bug in xCAT or IPMI device.
  [0x12] = "Illegal or unrecognized parameter",
}

channel_auth_request = function()
  return (
    "\x06\x00\xff\x07" .. -- Header
    "\x00\x00\x00\x00" ..
    "\x00\x00\x00\x00\x00\x09\x20\x18" ..
    "\xc8\x81\x00\x38\x8e\x04\xb5"
    )
end

rmcpplus_header = function (payload_type)
  return (
    "\x06\x00\xff\x07" ..           -- RMCP Header
    "\x06" ..                       -- RMCP+ Authentication Type
    string.char(PAYLOADS[payload_type]) .. -- Payload Type
    "\x00\x00\x00\x00" ..           -- Session ID
    "\x00\x00\x00\x00"            -- Sequence Number
    )
end

-- Open rmcpplus_request
session_open_request = function(console_session_id)
  local data = (
    "\x00\x00" .. -- Maximum Access
    "\x00\x00" .. -- Reserved
    console_session_id ..
    "\x00\x00\x00\x08" ..
    "\x01\x00\x00\x00" ..
    "\x01\x00\x00\x08" ..
    "\x01\x00\x00\x00" .. -- HMAC-SHA1
    "\x02\x00\x00\x08" ..
    "\x01\x00\x00\x00"  -- AES Encryption
    )

return bin.pack("<AP", rmcpplus_header("RMCPPLUSOPEN_REQ"), data)
end

-- Open rmcpplus_request
session_open_cipher_zero_request = function(console_session_id)
  console_session_id = console_session_id or stdnse.generate_random_string(4)

local data = (
    "\x00\x00" .. -- Maximum Access
    "\x00\x00" .. -- Reserved
    console_session_id ..
    "\x00\x00\x00\x08" ..
    "\x00\x00\x00\x00" .. -- Cipher-zero
    "\x01\x00\x00\x08" ..
    "\x00\x00\x00\x00" .. -- Cipher-zero
    "\x02\x00\x00\x08" ..
    "\x00\x00\x00\x00"  -- No Encryption
    )

return bin.pack("<AP", rmcpplus_header("RMCPPLUSOPEN_REQ"), data)
end

rakp_1_request = function(bmc_session_id, console_random_id, username)
  local data = bin.pack(
    "<AAIAAAp",
    "\x00",                       -- Message Tag
    "\x00\x00\x00",               -- Reserved
    bmc_session_id,
    console_random_id,
    "\x14",                       -- Privilege level
    "\x00\x00",                   -- Reserved
    username
    )

return bin.pack("<AP", rmcpplus_header("RAKP1"), data)
end

rakp_hmac_sha1_salt = function(
    console_session_id,
    bmc_session_id,
    console_random_id,
    bmc_random_id,
    bmc_guid,
    authorization_level,
    username)

local salt = bin.pack(
    "AIAAACp",
    console_session_id,
    bmc_session_id,
    console_random_id,
    bmc_random_id,
    bmc_guid,
    authorization_level,
    username
    )

return salt

end

verify_rakp_hmac_sha1 = function(salt, hash, password)
  if not(HAVE_SSL) then
    return false
  end

local digest = openssl.hmac('sha1', password, salt)
  return (digest == hash)
end

--[[
Multi-byte fields in RMCP/ASF fields are specified as being transmitted in
'Network Byte Order' - meaning most-significant byte first.
RMCP and ASF-specified fields are therefore transferred most-significant byte
first.
The IPMI convention is to transfer multi-byte numeric fields least-significant
Byte first. Therefore, unless otherwise specified:
Data in the IPMI Session Header and IPMI Message fields are transmitted
least-significant byte first.
--]]

parse_channel_auth_reply = function(reply)
  local data = {}
  local pos = 0
  local value

pos, data["rmcp_version"] = bin.unpack("<C", reply, pos)
  pos, data["rmcp_padding"] = bin.unpack("<C", reply, pos)
  pos, data["rmcp_sequence"] = bin.unpack("<C", reply, pos)

pos, value = bin.unpack("C", reply, pos)
  data["rmcp_mtype"] = (bit.band(value, 0x80) ~= 0)
  data["rmcp_class"] = bit.band(value, 0x7F)

pos, data["session_auth_type"] = bin.unpack("C", reply, pos)
  pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
  pos, data["session_id"] = bin.unpack("<I", reply, pos)
  pos, data["message_length"] = bin.unpack("C", reply, pos)
  pos, data["ipmi_tgt_address"] = bin.unpack("C", reply, pos)
  pos, data["ipmi_tgt_lun"] = bin.unpack("C", reply, pos)
  pos, data["ipmi_header_checksum"] = bin.unpack("C", reply, pos)
  pos, data["ipmi_src_address"] = bin.unpack("C", reply, pos)
  pos, data["ipmi_src_lun"] = bin.unpack("C", reply, pos)
  pos, data["ipmi_command"] = bin.unpack("C", reply, pos)
  pos, data["ipmi_completion_code"] = bin.unpack("C", reply, pos)
  pos, data["ipmi_channel"] = bin.unpack("C", reply, pos)

pos, value = bin.unpack("C", reply, pos)
  data["ipmi_compat_20"] = (bit.band(value, 0x80) ~= 0)
  data["ipmi_compat_reserved1"] = (bit.band(value, 0x40) ~= 0)
  data["ipmi_compat_oem_auth"] = (bit.band(value, 0x20) ~= 0)
  data["ipmi_compat_password"] = (bit.band(value, 0x10) ~= 0)
  data["ipmi_compat_reserved2"] = (bit.band(value, 0x08) ~= 0)
  data["ipmi_compat_md5"] = (bit.band(value, 0x04) ~= 0)
  data["ipmi_compat_md2"] = (bit.band(value, 0x02) ~= 0)
  data["ipmi_compat_none"] = (bit.band(value, 0x01) ~= 0)

pos, value = bin.unpack("C", reply, pos)
  data["ipmi_user_reserved1"] = bit.band(bit.rshift(value, 6), 0x03)
  data["ipmi_user_kg"] = (bit.band(value, 0x20) ~= 0)
  data["ipmi_user_disable_message_auth"] = (bit.band(value, 0x10) ~= 0)
  data["ipmi_user_disable_user_auth"] = (bit.band(value, 0x08) ~= 0)
  data["ipmi_user_non_null"] = (bit.band(value, 0x04) ~= 0)
  data["ipmi_user_null"] = (bit.band(value, 0x02) ~= 0)
  data["ipmi_user_anonymous"] = (bit.band(value, 0x01) ~= 0)

pos, value = bin.unpack("C", reply, pos)
  data["ipmi_conn_reserved1"] = bit.band(bit.rshift(value, 2), 0x3F)
  data["ipmi_conn_20"] = (bit.band(value, 0x02) ~= 0)
  data["ipmi_conn_15"] = (bit.band(value, 0x01) ~= 0)

-- 24 bits OEMID, unpack an int and shift 1 byte to the right
  pos, value = bin.unpack("<I", reply, pos)
  data["ipmi_oem_id"] = bit.rshift(value, 8)
  -- restore one byte position
  pos = pos - 1
  pos, data["ipmi_oem_data"] = bin.unpack("A", reply, pos)

return data
end

parse_open_session_reply = function(reply)
  local data = {}
  local pos = 0
  local value

-- 4 bytes Header
  pos, data["rmcp_version"] = bin.unpack("C", reply, pos)
  pos, data["rmcp_padding"] = bin.unpack("C", reply, pos)
  pos, data["rmcp_sequence"] = bin.unpack("C", reply, pos)

pos, value = bin.unpack("C", reply, pos)
  -- bit 1
  data["rmcp_mtype"] = (bit.band(value, 0x80) ~= 0)
  -- bit [2:8]
  data["rmcp_class"] = bit.band(value, 0x7F)

pos, data["session_auth_type"] = bin.unpack("C", reply, pos)

pos, value = bin.unpack("C", reply, pos)
  -- bit 1
  data["session_payload_encrypted"] = (bit.band(value, 0x80) ~= 0)
  -- bit 2
  data["session_payload_authenticated"] = (bit.band(value, 0x40) ~= 0)
  -- bit [3:8]
  data["session_payload_type"] = bit.band(value, 0x3F)

pos, data["session_id"] = bin.unpack("<I", reply, pos)
  pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
  pos, data["message_length"] = bin.unpack("<S", reply, pos)
  pos, data["ignored1"] = bin.unpack("C", reply, pos)
  pos, data["error_code"] = bin.unpack("C", reply, pos)
  pos, data["ignored2"] = bin.unpack("<S", reply, pos)
  pos, data["console_session_id"] = bin.unpack("<I", reply, pos)
  pos, data["bmc_session_id"] = bin.unpack("<I", reply, pos)

return data
end

parse_rakp_1_reply = function(reply)
  local data = {}
  local pos = 0
  local value

-- 4 bytes Header
  pos, data["rmcp_version"] = bin.unpack("C", reply, pos)
  pos, data["rmcp_padding"] = bin.unpack("C", reply, pos)
  pos, data["rmcp_sequence"] = bin.unpack("C", reply, pos)

pos, value = bin.unpack("C", reply, pos)
  -- bit 1
  data["rmcp_mtype"] = (bit.band(value, 0x80) ~= 0)
  -- bit [2:8]
  data["rmcp_class"] = bit.band(value, 0x7F)

pos, data["session_auth_type"] = bin.unpack("C", reply, pos)

return data
end

return _ENV;