From 0453f89779e2fe8db1b3031a6d3f003bf024495d Mon Sep 17 00:00:00 2001
From: patrik <patrik@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 21 Jul 2011 06:14:02 +0000
Subject: [PATCH] o [NSE] Added the script imap-brute that performs brute force
 password   auditing against IMAP servers. [Patrik]

o [NSE] Updated IMAP library to support authentication using both plain-text
  and the SASL library. [Patrik]
---
 CHANGELOG                     |   6 +
 nselib/imap.lua               | 306 +++++++++++++++++++++++++++++-----
 scripts/imap-capabilities.nse |   9 +-
 scripts/script.db             |   1 +
 4 files changed, 283 insertions(+), 39 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 505ec2133..ef42fd3bd 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,11 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added the script imap-brute that performs brute force password
+  auditing against IMAP servers. [Patrik]
+
+o [NSE] Updated IMAP library to support authentication using both plain-text
+  and the SASL library. [Patrik]
+
 o [NSE] Added SASL library created by Djalal Harouni and Patrik Karlsson
   providing common code for "Simple Authentication and Security Layer" to
   services supporting it. The algorithms supported by the library are:
diff --git a/nselib/imap.lua b/nselib/imap.lua
index b0f992ae9..708a1e3a9 100644
--- a/nselib/imap.lua
+++ b/nselib/imap.lua
@@ -1,47 +1,277 @@
 ---
--- IMAP functions.
+-- A library implementing a minor subset of the IMAP protocol, currently the
+-- CAPABILITY, LOGIN and AUTHENTICATE functions. The library was initially
+-- written by Brandon Enright and later extended and converted to OO-form by
+-- Patrik Karlsson <patrik@cqure.net>
+--
+-- The library consists of a <code>Helper</code>, class which is the main
+-- interface for script writers, and the <code>IMAP</code> class providing
+-- all protocol-level functionality.
+--
+-- The following example illustrates the reommended use of the library:
+-- <code>
+-- 	local helper = imap.Helper:new(host, port)
+--  helper:connect()
+--  helper:login("user","password","PLAIN")
+--  helper:close()
+-- </code>
 --
 -- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html
+-- @author = "Brandon Enright, Patrik Karlsson"
+
+-- Version 0.2
+-- Revised 07/15/2011 - v0.2 - 	added the IMAP and Helper classes
+--								added support for LOGIN and AUTHENTICATE
+--								<patrik@cqure.net>
 
 module(... or "imap", package.seeall)
 
 require 'stdnse'
+require 'comm'
+require 'base64'
+require 'sasl'
+
+IMAP = {
+	
+	--- Creates a new instance of the IMAP class
+	--
+	-- @param host table as received by the script action method
+	-- @param port table as received by the script action method
+	-- @param options table containing options, currently
+	--		<code>timeout<code> - 	number containing the seconds to wait for
+	--								a response
+	new = function(self, host, port, options)
+		local o = { 
+				host = host,
+				port = port,
+				counter = 1, 
+				timeout = ( options and options.timeout ) or 10000 
+		}
+       	setmetatable(o, self)
+        self.__index = self
+		return o
+	end,
+	
+	--- Receives a response from the IMAP server
+	--
+	-- @return status true on success, false on failure
+	-- @return data string containing the received data
+	receive = function(self)
+		local data = ""
+		repeat
+			local status, tmp = self.socket:receive_buf("\r\n", false)
+			if( not(status) ) then return false, tmp end
+			data = data .. tmp
+		until( tmp:match(("^A%04d"):format(self.counter - 1)) or tmp:match("^%+"))
+		
+		return true, data
+	end,
+	
+	--- Sends a request to the IMAP server
+	--
+	-- @param cmd string containing the command to send to the server eg.
+	--            eg. (AUTHENTICATE, LOGIN)
+	-- @param params string containing the command parameters
+	-- @return true on success, false on failure
+	-- @return err string containing the error if status was false
+	send = function(self, cmd, params)
+		local data
+		if ( not(params) ) then
+			data = ("A%04d %s\r\n"):format(self.counter, cmd)
+		else
+			data = ("A%04d %s %s\r\n"):format(self.counter, cmd, params)
+		end
+		local status, err = self.socket:send(data)
+		if ( not(status) ) then return false, err end
+		self.counter = self.counter + 1
+		return true
+	end,
+	
+	--- Connect to the server
+	--
+	-- @return status true on success, false on failure
+	-- @return banner string containing the server banner
+	connect = function(self)
+		local socket, banner, opt = comm.tryssl( self.host, self.port, "", { recv_before = true } )
+		if ( not(socket) ) then return false, "ERROR: Failed to connect to server" end
+		socket:set_timeout(self.timeout)
+		if ( not(socket) or not(banner) ) then return false, "ERROR: Failed to connect to server" end
+		self.socket = socket
+		return true, banner
+	end,
+		
+	--- Authenticate to the server (non PLAIN text mode)
+	-- Currently supported algorithms are CRAM-MD5 and CRAM-SHA1
+	--
+	-- @param username string containing the username
+	-- @param pass string containing the password
+	-- @param mech string containing a authentication mechanism, currently
+	--				CRAM-MD5 or CRAM-SHA1
+	-- @return status true if login was successful, false on failure
+	-- @return err string containing the error message if status was false
+	authenticate = function(self, username, pass, mech)
+		assert( mech == "NTLM" or
+				mech == "DIGEST-MD5" or
+				mech == "CRAM-MD5" or 
+				mech == "PLAIN",
+				"Unsupported authentication mechanism")
+		
+		local status, err = self:send("AUTHENTICATE", mech)
+
+		if( not(status) ) then return false, "ERROR: Failed to send data" end
+
+		local status, data = self:receive()
+		if( not(status) ) then return false, "ERROR: Failed to receive challenge" end
+		
+		if ( mech == "NTLM" ) then
+			-- sniffed of the wire, seems to always be the same
+			-- decodes to some NTLMSSP blob greatness
+			status, data = self.socket:send("TlRMTVNTUAABAAAAB7IIogYABgA3AAAADwAPACgAAAAFASgKAAAAD0FCVVNFLUFJUi5MT0NBTERPTUFJTg==\r\n")
+			if ( not(status) ) then return false, "ERROR: Failed to send NTLM packet" end
+			status, data = self:receive()
+			if ( not(status) ) then return false, "ERROR: Failed to receieve NTLM challenge" end 
+		end
+		
+		if ( data:match(("^A%04d "):format(self.counter-1)) ) then
+			return false, "ERROR: Authentication mechanism not supported"
+		end
+
+		local digest, auth_data
+		if ( not(data:match("^+")) ) then
+			return false, "ERROR: Failed to receive proper response from server"
+		end
+		data = base64.dec(data:match("^+ (.*)"))
+		
+		-- All mechanisms expect username and pass
+		-- add the otheronce for those who need them
+		local mech_params = { username, pass, data, "imap" }
+		auth_data = sasl.Helper:new(mech):encode(unpack(mech_params))
+		auth_data = base64.enc(auth_data) .. "\r\n"
+			
+		status, data = self.socket:send(auth_data)
+		if( not(status) ) then return false, "ERROR: Failed to send data" end
+
+		status, data = self:receive()
+		if( not(status) ) then return false, "ERROR: Failed to receive data" end
+	
+		if ( mech == "DIGEST-MD5" ) then
+			local rspauth = data:match("^+ (.*)")
+			if ( rspauth ) then
+				rspauth = base64.dec(rspauth)
+				status, data = self.socket:send("\r\n")
+				status, data = self:receive()
+			end
+		end
+		if ( data:match(("^A%04d OK"):format(self.counter - 1)) ) then
+			return true
+		end
+		return false, "Login failed"
+	end,
+	
+	--- Login to the server using PLAIN text authentication
+	--
+	-- @param username string containing the username
+	-- @param password string containing the password
+	-- @return status true on success, false on failure
+	-- @return err string containing the error message if status was false
+	login = function(self, username, password)
+		local status, err = self:send("LOGIN", ("\"%s\" \"%s\""):format(username, password))
+		if( not(status) ) then return false, "ERROR: Failed to send data" end
+		
+		local status, data = self:receive()
+		if( not(status) ) then return false, "ERROR: Failed to receive data" end
+			
+		if ( data:match(("^A%04d OK"):format(self.counter - 1)) ) then
+			return true
+		end
+		return false, "Login failed"
+	end,
+	
+	--- Retrieves a list of server capabilities (eg. supported authentication
+	--  mechanisms, QUOTA, UIDPLUS, ACL ...)
+	--
+	-- @return status true on success, false on failure
+	-- @return capas array containing the capabilities that are supported
+	capabilities = function(self)
+		local capas = {}
+		local proto = (self.port.version and self.port.version.service_tunnel == "ssl" and "ssl") or "tcp"
+		local status, err = self:send("CAPABILITY")
+		if( not(status) ) then return false, err end
+	   
+		local status, line = self:receive()
+		if (not(status)) then
+			capas.CAPABILITY = false
+		else 
+			while status do
+				if ( line:match("^%*%s+CAPABILITY") ) then
+		    		line = line:gsub("^%*%s+CAPABILITY", "")
+					for capability in line:gmatch("[%w%+=-]+") do
+						capas[capability] = true
+	            	end
+	            	break
+				end
+				status, line = self.socket:receive()
+			end
+	   end
+	   return true, capas
+	end,
+	
+	--- Closes the connection to the IMAP server
+	-- @return true on success, false on failure
+	close = function(self) return self.socket:close() end
+	
+}
 
 
----
--- Asks an IMAP server for capabilities.
---
--- See RFC 3501.
--- @param host Host to be queried.
--- @param port Port to connect to.
--- @return Table containing capabilities or nil on error.
--- @return nil or String error message.
-function capabilities(host, port)
-   local socket = nmap.new_socket()
-   local capas = {}
-   socket:set_timeout(10000)
-   local proto = (port.version and port.version.service_tunnel == "ssl" and "ssl") or "tcp"
-   if not socket:connect(host, port, proto) then return nil, "Could Not Connect" end
-
-   local status, line = socket:receive_lines(1)
-   if not string.match(line, "^[%*] OK") then return nil, "No Response" end
-   
-   socket:send("a001 CAPABILITY\r\n")
-   status, line = socket:receive_buf("\r\n", false)
-   if not status then 
-      capas.CAPABILITY = false
-   else 
-      while status do
-         if string.match(line, "^%*%s+CAPABILITY") then
-	    line = string.gsub(line, "^%*%s+CAPABILITY", "")
-	    for capability in string.gmatch(line, "[%w%+=-]+") do
-	       capas[capability] = true
-            end
-            break
-         end
-         status, line = socket:receive_buf("\r\n", false)
-      end
-   end
-   socket:close()
-   return capas
-end
+-- The helper class, that servers as interface to script writers
+Helper = {
+	
+	-- @param host table as received by the script action method
+	-- @param port table as received by the script action method
+	-- @param options table containing options, currently
+	--		<code>timeout<code> - 	number containing the seconds to wait for
+	--								a response
+	new = function(self, host, port, options)
+		local o = { client = IMAP:new( host, port, options ) }
+       	setmetatable(o, self)
+        self.__index = self
+		return o
+	end,
+	
+	--- Connects to the IMAP server
+	-- @return status true on success, false on failure
+	connect = function(self)
+		return self.client:connect()
+	end,
+	
+	--- Login to the server using eithe plain-text or using the authentication
+	-- mechanism provided in the mech argument.
+	--
+	-- @param username string containing the username
+	-- @param password string containing the password
+	-- @param mech [optional] containing the authentication mechanism to use
+	-- @return status true on success, false on failure
+	login = function(self, username, password, mech)
+		if ( not(mech) or mech == "LOGIN" ) then
+			return self.client:login(username, password)
+		else
+			return self.client:authenticate(username, password, mech)
+		end
+	end,
+	
+	--- Retrieves a list of server capabilities (eg. supported authentication
+	--  mechanisms, QUOTA, UIDPLUS, ACL ...)
+	--
+	-- @return status true on success, false on failure
+	-- @return capas array containing the capabilities that are supported
+	capabilities = function(self)
+		return self.client:capabilities()
+	end,
+	
+	--- Closes the connection to the IMAP server
+	-- @return true on success, false on failure
+	close = function(self)
+		return self.client:close()
+	end,
+	
+}
diff --git a/scripts/imap-capabilities.nse b/scripts/imap-capabilities.nse
index 23d8123e0..c0277b6fe 100644
--- a/scripts/imap-capabilities.nse
+++ b/scripts/imap-capabilities.nse
@@ -24,7 +24,14 @@ require 'stdnse'
 portrule = shortport.port_or_service({143}, "imap")
 
 action = function(host, port)
-  local capa, err = imap.capabilities(host, port)
+  local helper = imap.Helper:new(host, port)
+  local status = helper:connect()
+  if ( not(status) ) then return "\n  ERROR: Failed to connect to server" end
+
+  local status, capa = helper:capabilities(host, port)
+  if( not(status) ) then return "\n  ERROR: Failed to retrieve capabilities" end
+  helper:close()
+
   if type(capa) == "table" then
      -- Convert the capabilities table into an array of strings.
      local capstrings = {}
diff --git a/scripts/script.db b/scripts/script.db
index a563ab9a9..7327d950a 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -92,6 +92,7 @@ Entry { filename = "http-vhosts.nse", categories = { "discovery", "intrusive", }
 Entry { filename = "http-vmware-path-vuln.nse", categories = { "default", "safe", "vuln", } }
 Entry { filename = "http-wp-plugins.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "iax2-version.nse", categories = { "version", } }
+Entry { filename = "imap-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", } }
 Entry { filename = "informix-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } }