description = [[
Attempts to retrieve a list of iSCSI targets
]]

author = "Michel Chamberland <merc@securitywire.com>"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"default", "discovery"}

require "comm"
require "shortport"

portrule = shortport.port_or_service(3260, "iSCSI")

action = function(host, port)

    local try = nmap.new_try()
    
  	local payload = 
		bin.pack("H", "04") 				-- Text Request
		.. bin.pack("B","10000000") 		-- F bit is set (this is the final text request)
		.. bin.pack("H","00 00") 			-- Reserved 
		.. bin.pack("H","00")				-- TotalAHSLength (Header Length)
		.. bin.pack("H","00 00 10")			-- Data Segment Length
		.. bin.pack("H","00 00 00 00") 		-- LUN or Reserved
		.. bin.pack("H","00 00 00 00") 		-- LUN or Reserved
		.. bin.pack("H","00 00 00 01") 		-- Initiator Task Tag (unique identifier)
		.. bin.pack("H","ff ff ff ff") 		-- Target Transfer Tag (this is a new request, reset state)
		.. bin.pack("H","00 00 00 01") 		-- CmdSN (Command Sequence Number)
		.. bin.pack("H","00 00 00 01") 		-- ExpStatSN (Session Sequence Number) 
		.. bin.pack("H","00 00 00 00") 		-- Reserved
		.. bin.pack("H","00 00 00 00") 		-- Reserved
		.. bin.pack("H","00 00 00 00") 		-- Reserved
		.. bin.pack("H","00 00 00 00") 		-- Header-Digest (Optional)
		.. bin.pack("z","SendTargets=All"); -- Data Segment 
		
    local status, resp = comm.exchange(host, port, payload, {timeout=15000});
	if(status == true) then
		local s = string.find(resp,"TargetName")
		if s then
			local targets, count =  string.gsub(string.sub(resp,s), "%z", "\n")
			return "iSCSI Targets found\n" .. targets
		end
	else
	 	if nmap.debugging() > 0 then
			return status
		end
	end	
end