diff --git a/CHANGELOG b/CHANGELOG index 98f9170b7..3bb0c57bc 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added a brute script for new Metasploit RPC interface as + metasploit-msgrpc-brute. [Aleksandar Nikolic] + o [NSE] Added the script firewall-bypass which detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip. [Hani Benhabiles] diff --git a/scripts/metasploit-msgrpc-brute.nse b/scripts/metasploit-msgrpc-brute.nse new file mode 100644 index 000000000..fd755ae14 --- /dev/null +++ b/scripts/metasploit-msgrpc-brute.nse @@ -0,0 +1,117 @@ +local brute = require "brute" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local http = require "http" +local bin = require "bin" +local creds = require "creds" + +description = [[ +Performs brute force username and password guessing against +Metasploit msgrpc interface. + +]] + +--- +-- @usage +-- nmap --script metasploit-msgrpc-brute -p 55553 +-- +-- This script uses brute library to perform password +-- guessing agains Metasploit's msgrpc interface. +-- +-- +-- @output +-- PORT STATE SERVICE REASON +-- 55553/tcp open unknown syn-ack +-- | metasploit-msgrpc-brute: +-- | Accounts +-- | root:root - Valid credentials +-- | Statistics +-- |_ Performed 10 guesses in 10 seconds, average tps: 1 + + + +author = "Aleksandar Nikolic" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"intrusive", "brute"} + +portrule = shortport.port_or_service(55553,"metasploit-msgrpc") + + +-- simple function that implements basic msgpack encoding we need for this script +-- see http://wiki.msgpack.org/display/MSGPACK/Format+specification for more +local encode = function(username, password) + local method = "auth.login" + local username_prefix + local password_prefix + + if string.len(username) <= 31 then -- http://wiki.msgpack.org/display/MSGPACK/Format+specification#Formatspecification-fixraw + username_prefix = bin.pack("C",0xa0 + string.len(username)) + else -- http://wiki.msgpack.org/display/MSGPACK/Format+specification#Formatspecification-raw16 + username_prefix = bin.pack("C",0xda) .. bin.pack("s",string.len(username)) + end + if string.len(password) <= 31 then + password_prefix = bin.pack("C",0xa0 + string.len(password)) + else + password_prefix = bin.pack("C",0xda) .. bin.pack("s",string.len(password)) + end + + return bin.pack("C",0x93) .. bin.pack("C",0xaa) .. method .. username_prefix .. username .. password_prefix .. password +end + +Driver = { + + new = function(self, host, port) + local o = {} + setmetatable(o, self) + self.__index = self + o.host = host + o.port = port + return o + end, + + -- as we are using http methods, no need for connect and disconnect + -- this might cause a problem as in other scripts that don't have explicit connect + -- as there is no way to "reserve" a socket + connect = function( self ) + return true + end, + + login = function (self, user, pass) + local data + local options = { + header = { + ["Content-Type"] = "binary/message-pack" + } + } + stdnse.print_debug( "Trying %s/%s ...", user, pass ) + data = http.post(self.host,self.port, "/api/",options, nil , encode(user,pass)) + if data and data.status and tostring( data.status ):match( "200" ) then + if string.find(data.body,"success") then + return true, brute.Account:new( user, pass, creds.State.VALID) + else + return false, brute.Error:new( "Incorrect username or password" ) + end + end + local err = brute.Error:new("Login didn't return a proper response") + err:setRetry( true ) + return false, err + end, + + disconnect = function( self ) + return true + end +} + +action = function( host, port ) + + local status, result + local engine = brute.Engine:new(Driver, host, port) + engine.options.script_name = SCRIPT_NAME + engine.options.firstonly = true + engine.max_threads = 3 + engine.max_retries = 10 + status, result = engine:start() + + return result +end diff --git a/scripts/script.db b/scripts/script.db index 692059cb7..2cfa37042 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -97,7 +97,7 @@ Entry { filename = "epmd-info.nse", categories = { "default", "discovery", "safe Entry { filename = "eppc-enum-processes.nse", categories = { "discovery", "safe", } } Entry { filename = "finger.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "firewalk.nse", categories = { "discovery", "safe", } } -Entry { filename = "firewall-bypass.nse", categories = { "vuln", "intrusive", } } +Entry { filename = "firewall-bypass.nse", categories = { "intrusive", "vuln", } } Entry { filename = "ftp-anon.nse", categories = { "auth", "default", "safe", } } Entry { filename = "ftp-bounce.nse", categories = { "default", "safe", } } Entry { filename = "ftp-brute.nse", categories = { "brute", "intrusive", } } @@ -221,9 +221,11 @@ Entry { filename = "ldap-search.nse", categories = { "discovery", "safe", } } Entry { filename = "lexmark-config.nse", categories = { "discovery", "safe", } } Entry { filename = "lltd-discovery.nse", categories = { "broadcast", "discovery", "safe", } } Entry { filename = "maxdb-info.nse", categories = { "default", "version", } } +Entry { filename = "mcafee-epo-agent.nse", categories = { "safe", "version", } } Entry { filename = "membase-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "membase-http-info.nse", categories = { "discovery", "safe", } } Entry { filename = "memcached-info.nse", categories = { "discovery", "safe", } } +Entry { filename = "metasploit-msgrpc-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "metasploit-xmlrpc-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "mmouse-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "mmouse-exec.nse", categories = { "intrusive", } }