Overview
Attempts to extract information from HP iLO boards including versions and addresses.
HP iLO boards have an unauthenticated info disclosure at
Official safe Safe
http-hp-ilo-info
Attempts to extract information from HP iLO boards including versions and addresses.
Ports
Any
Protocols
n/a
Attribution
Nmap Project
Usage
Copy the command and adjust the target or script arguments as needed.
nmap --script hp-ilo-info -p 80 <target>Script Source Toggle
The full script source is stored with this entry and is hidden by default to keep the page easier to scan.
description = [[
Attempts to extract information from HP iLO boards including versions and addresses.
HP iLO boards have an unauthenticated info disclosure at <ip>/xmldata?item=all.
It lists board informations such as server model, firmware version,
MAC addresses, IP addresses, etc. This script uses the slaxml library
to parse the iLO xml file and display the info.
]]
---
--@usage nmap --script hp-ilo-info -p 80 <target>
--
--@usage nmap --script hp-ilo-info -sV <target>
--
--@output
--PORT STATE SERVICE
--80/tcp open http
--| ilo-info:
--| ServerType: ProLiant MicroServer Gen8
--| ProductID: XXXXXX-XXX
--| UUID: XXXXXXXXXXXXXXXX
--| cUUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
--| ILOType: Integrated Lights-Out 4 (iLO 4)
--| ILOFirmware: X.XX
--| SerialNo: ILOXXXXXXXXXX
--| NICs:
--| NIC 1:
--| Description: iLO 4
--| MacAddress: 12:34:56:78:9a:bc
--| IPAddress: 10.10.10.10
--| Status: OK
--| NIC 2:
--| Description: iLo 4
--| MacAddress: 11:22:33:44:55:66
--| IPAddress: Unknown
--|_ Status: Disabled
--
author = "Rajeev R Menon"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe","discovery"}
local http = require "http"
local slaxml = require "slaxml"
local stdnse = require "stdnse"
local shortport = require "shortport"
portrule = shortport.http
function getTag(table,tag)
for _,n in ipairs(table.kids) do
if n.type == "element" and n.name == tag then
return n
elseif n.type == "element" then
local ret = getTag(n,tag)
if ret ~= nil then return ret end
end
end
return nil
end
function parseXML(dom)
local response = stdnse.output_table()
local info = stdnse.output_table()
info['ServerType'] = getTag(dom,"SPN")
info['ProductID'] = getTag(dom,"PRODUCTID")
info['UUID'] = getTag(dom,"UUID")
info['cUUID'] = getTag(dom,"cUUID")
info['ILOType'] = getTag(dom,"PN")
info['ILOFirmware'] = getTag(dom,"FWRI")
info['SerialNo'] = getTag(dom,"SN")
for key,_ in pairs(info) do
if info[key] ~= nil then
response[tostring(key)] = info[key].kids[1].value
end
end
response.NICs = stdnse.output_table()
local nicdom = getTag(dom,"NICS")
if nicdom ~= nil then
local count = 1
for _,n in ipairs(nicdom.kids) do
local nic = stdnse.output_table()
info = stdnse.output_table()
for k,m in ipairs(n.kids) do
if #m.kids >= 1 and m.kids[1].type == "text" then
if m.name == "DESCRIPTION" then
info["Description"] = m.kids[1].value
elseif m.name == "MACADDR" then
info["MacAddress"] = m.kids[1].value
elseif m.name == "IPADDR" then
info["IPAddress"] = m.kids[1].value
elseif m.name == "STATUS" then
info["Status"] = m.kids[1].value
end
end
end
for key,_ in pairs(info) do
nic[tostring(key)] = info[key]
end
response.NICs["NIC "..tostring(count)] = nic
count = count + 1
end
end
return response
end
action = function(host,port)
local response = http.get(host,port,"/xmldata?item=all")
if response["status"] ~= 200
or not response.body
or not response.body:match('<RIMP>')
or not response.body:match('iLO')
then
return
end
local domtable = slaxml.parseDOM(response["body"],{stripWhitespace=true})
return parseXML(domtable)
end