Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSE: add script for discovering OSPF neighbors #743

wants to merge 14 commits into from


Copy link

@emyl emyl commented Mar 11, 2017


I'd like to contribute to the project by sharing a script for discovering OSPF neighbors.

To make the script work, I've made several additions to the ospf library, and also a small addition to ipOps. I've also considered to partially rewrite the ospf library using Lua native functions instead bin/bit, but I stopped because (maybe due to my poor Lua skills) I didn't found a convenient way to handle hex strings.

Comments are welcome! Thanks!

Copy link

Ok, I've got the conflicts resolved, but I have one issue and question: All of our scripts should behave in a reasonable fashion if OpenSSL is not compiled in, so instead of local openssl = require "openssl", ospf.lua should have local have_ssl, openssl = pcall(require, "openssl") and then protect calls to openssl.md5 with a check for have_ssl. This is easy, and I've done it. The question is, how should the script handle auth type 2 packets then?

One option would be to check for OpenSSL in the script in the same way, and fail gracefully if md5_key is set. Another would be to fall back to some other auth type and just try making things work. @emyl What do you think we should do in this case?

Copy link

emyl commented Mar 13, 2017

@dmiller-nmap thanks for pointing this out, I've updated the script: it now fails gracefully just in case.

@nmap-bot nmap-bot closed this in 84a824c Mar 14, 2017
Copy link

DamienDaco commented Jun 26, 2017

EDIT: I fixed the problem by changing the endianness in my nselib/ospf.lua, as Emyl suggested.
However, the script is still crashing. Please see the output below.

I'm trying to use your script in my GNS3 OSPF lab.
The script is failing because the hello and dead timers are way off.
(N.B. I'm using the default 10/40 values for hello/dead timers)
After turning on the OSPF debugging inside my routers, I see the following output:

OSPF: Mismatched hello parameters from OSPF: Dead R 671088640 C 40, Hello R 2560 C 10 Mask R C

This output indicates that the hello timer sent by the script is 2560 instead of 10 (or 256 times the correct value) and the dead timer is 671088640 instead of 40 (or 16777216 times the correct value)
I confirmed this by analyzing the packets with Wireshark, it seems the script is sending the hello value 0x0a00 (It should send 0x0a instead) and the dead value 0x28000000 (It should be 0x28 instead).
Please advise, I'm a total beginner with NSE scripts, and I'd like to use your nice script for ethical hacking labs :)
I downloaded the script on the nmap website.
My OS is Xubuntu.
Thank you.

Wireshark output:

OSPF Hello Packet Network Mask: Hello Interval [sec]: 2560 Options: 0x02 ((E) External Routing) Router Priority: 0 Router Dead Interval [sec]: 671088640 Designated Router: Backup Designated Router: Active Neighbor:

EDIT: After changing the endianness, I get the following output:

doc@doc-xubuntu:~/Downloads$ sudo nmap --script=broadcast-ospf2-discover -d -e tap0

Starting Nmap 7.01 ( ) at 2017-06-26 18:40 CEST
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0

NSE: Using Lua 5.2.
NSE: Arguments from CLI:
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 18:40
NSE: Starting broadcast-ospf2-discover.
NSE: Value for router ID argument:
NSE: Value for timeout argument: 10.
NSE: Will use tap0 interface.
NSE: Start listening on interface tap0...
NSE: broadcast-ospf2-discover threw an error!
/usr/bin/../share/nmap/nselib/ospf.lua:268: OSPF packet too short
stack traceback:
[C]: in function 'assert'
/usr/bin/../share/nmap/nselib/ospf.lua:268: in function 'parse'
/usr/bin/../share/nmap/scripts/broadcast-ospf2-discover.nse:341: in function </usr/bin/../share/nmap/scripts/broadcast-ospf2-discover.nse:306>
(...tail calls...)

Completed NSE at 18:40, 5.21s elapsed
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 18:40
Completed NSE at 18:40, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-services.
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 5.54 seconds
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

3 participants