forked from zenfish/ipmi
-
Notifications
You must be signed in to change notification settings - Fork 0
/
j_weights.pl
executable file
·115 lines (94 loc) · 2.99 KB
/
j_weights.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#
# Weights - these #'s determine how IPMI-ish a host is. You can never be
# sure (firewalls, temporarily down, weird network configurations and routing,
# etc., etc.) , but some things count more than others. The higher the number
# the more in contributes to the overall score.
#
#
# some ports do double duty - just a web server on an odd port is obviously not
# a sign of IPMI, but it's an indicator (banners will be checked as well.)
# Will probably change things over time as I get more data, this is for starters.
#
#
$weight_common = 0.1;
$weight_unusual = 1;
$weight_the_one = 5;
# if you don't specify a weight, it's treated as some trashy common port, so put it
$weight_unknown = $weight_common;
%weight_port = (
'tcp' => {
# more unusual/interesting ports
555, $weight_unusual,
623, $weight_unusual,
1188, $weight_unusual, # hp-webadmin
1278, $weight_unusual,
1279, $weight_unusual,
2606, $weight_unusual,
2607, $weight_unusual,
3002, $weight_unusual,
3389, $weight_unusual,
3668, $weight_unusual,
3669, $weight_unusual,
4988, $weight_unusual,
5120, $weight_unusual,
5869, $weight_unusual,
5981, $weight_unusual,
5123, $weight_unusual,
8192, $weight_unusual,
8889, $weight_unusual,
9300, $weight_unusual,
17988, $weight_unusual,
17990, $weight_unusual,
50000, $weight_unusual
},
'udp' => {
# the one and only
623, $weight_the_one,
# various others
624, $weight_unusual,
1278, $weight_unusual,
1279, $weight_unusual,
1900, $weight_unusual,
2606, $weight_unusual,
2607, $weight_unusual,
3668, $weight_unusual,
4995, $weight_unusual,
5900, $weight_unusual
}
);
#
#
# multipliers
$weight_state{"open"} = 2;
$weight_state{"open|filtered"} = 0.3;
# not sure what to do on this; need to understand output better (yes, I know what TCPW are!)
$weight_state{"tcpwrapped"} = 0.1;
$weight_state{"filtered"} = 0.2; # wish I could trust this more, but....
$weight_state{"closed|filtered"} = 0; # any diff from closed?
$weight_state{"closed"} = 0;
#
# banners... regular expressions and bonus points if they match
#
# first guesses, obv need tuning
for $v (keys %vendor_banners) {
$ipmi_banners{$vendor_banners{$v}} = 10;
}
# $ipmi_banners{"Lights.?Out"} = 10;
# $ipmi_banners{"iLO"} = 10; # HP's IPMI
# $ipmi_banners{"DRAC"} = 10; # Dell's IPMI
# not too uncommon embedded linuxy system thingy: but used on at least on some
# supermicro ssh's
$ipmi_banners{"[Dd]ropbear"} = 5;
# generic hopeful catch
$ipmi_banners{"[Ii][Pp][Mm][Ii]"} = 10;
# bonus points for...
# this is a no-thought scan through output nmap can't figure out
$weight_sucking_fingers = 3;
# if ipmiping works, probably is IPMI....!
$ipmi_ping_success = 40;
#
# if greater than this number, will match
#
$ipmi_cutoff{"yes"} = 15;
$ipmi_cutoff{"maybe"} = 3;
1;