Added metasploit-msgrpc-brute to trunk

2025-12-09 22:21:29 +00:00 · 2012-06-30 12:02:54 +00:00
parent 95f7d0d74a
commit 4030bf6c1a
3 changed files with 123 additions and 1 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added a brute script for new Metasploit RPC interface as 
+  metasploit-msgrpc-brute. [Aleksandar Nikolic]
+
 o [NSE] Added the script firewall-bypass which detects a vulnerability in
  netfilter and other firewalls that use helpers to dynamically open ports for
  protocols such as ftp and sip.  [Hani Benhabiles]
--- a/scripts/metasploit-msgrpc-brute.nse
+++ b/scripts/metasploit-msgrpc-brute.nse
@@ -0,0 +1,117 @@
+local brute = require "brute"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local http = require "http"
+local bin = require "bin"
+local creds = require "creds"
+
+description = [[
+Performs brute force username and password guessing against 
+Metasploit msgrpc interface.
+
+]]
+
+---
+-- @usage
+-- nmap --script metasploit-msgrpc-brute -p 55553 <host>
+--
+-- This script uses brute library to perform password
+-- guessing agains Metasploit's msgrpc interface.
+-- 
+--
+-- @output
+-- PORT      STATE SERVICE REASON
+-- 55553/tcp open  unknown syn-ack
+-- | metasploit-msgrpc-brute:
+-- |   Accounts
+-- |     root:root - Valid credentials
+-- |   Statistics
+-- |_    Performed 10 guesses in 10 seconds, average tps: 1
+
+
+
+author = "Aleksandar Nikolic"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "brute"}
+
+portrule = shortport.port_or_service(55553,"metasploit-msgrpc")
+
+
+-- simple function that implements basic msgpack encoding we need for this script
+-- see http://wiki.msgpack.org/display/MSGPACK/Format+specification for more
+local encode = function(username, password)
+	local method = "auth.login"
+	local username_prefix 
+	local password_prefix 
+	
+	if string.len(username) <= 31 then -- http://wiki.msgpack.org/display/MSGPACK/Format+specification#Formatspecification-fixraw
+		username_prefix = bin.pack("C",0xa0 + string.len(username))
+	else -- http://wiki.msgpack.org/display/MSGPACK/Format+specification#Formatspecification-raw16
+		username_prefix = bin.pack("C",0xda)  .. bin.pack("s",string.len(username))
+	end
+	if string.len(password) <= 31 then
+		password_prefix = bin.pack("C",0xa0 + string.len(password))
+	else 
+		password_prefix = bin.pack("C",0xda)  .. bin.pack("s",string.len(password))
+	end
+	
+	return bin.pack("C",0x93) .. bin.pack("C",0xaa) .. method .. username_prefix .. username .. password_prefix .. password
+end
+
+Driver = {
+
+	new = function(self, host, port)
+		local o = {}
+       	setmetatable(o, self)
+        self.__index = self
+		o.host = host
+		o.port = port
+		return o
+	end,
+
+	-- as we are using http methods, no need for connect and disconnect
+	-- this might cause a problem as in other scripts that don't have explicit connect
+	-- as there is no way to "reserve" a socket 
+	connect = function( self )
+		return true
+	end,
+	
+	login = function (self, user, pass)
+		local data
+		local options = {
+			header = {
+				["Content-Type"] = "binary/message-pack"
+			}
+		}
+		stdnse.print_debug( "Trying %s/%s ...", user, pass )
+		data = http.post(self.host,self.port, "/api/",options, nil , encode(user,pass))
+		if data and data.status and tostring( data.status ):match( "200" )  then
+			if string.find(data.body,"success") then
+				return true, brute.Account:new( user, pass, creds.State.VALID)
+			else
+				return false,  brute.Error:new( "Incorrect username or password" )
+			end
+		end
+		local err = brute.Error:new("Login didn't return a proper response")
+		err:setRetry( true )
+		return false, err
+	end,
+
+	disconnect = function( self ) 
+		return true
+	end
+}
+
+action = function( host, port )
+
+	local status, result 
+	local engine = brute.Engine:new(Driver, host, port)
+	engine.options.script_name = SCRIPT_NAME
+	engine.options.firstonly = true 
+	engine.max_threads = 3
+	engine.max_retries = 10
+	status, result = engine:start()
+	
+	return result
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -97,7 +97,7 @@ Entry { filename = "epmd-info.nse", categories = { "default", "discovery", "safe
 Entry { filename = "eppc-enum-processes.nse", categories = { "discovery", "safe", } }
 Entry { filename = "finger.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "firewalk.nse", categories = { "discovery", "safe", } }
-Entry { filename = "firewall-bypass.nse", categories = { "vuln", "intrusive", } }
+Entry { filename = "firewall-bypass.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "ftp-anon.nse", categories = { "auth", "default", "safe", } }
 Entry { filename = "ftp-bounce.nse", categories = { "default", "safe", } }
 Entry { filename = "ftp-brute.nse", categories = { "brute", "intrusive", } }
@@ -221,9 +221,11 @@ Entry { filename = "ldap-search.nse", categories = { "discovery", "safe", } }
 Entry { filename = "lexmark-config.nse", categories = { "discovery", "safe", } }
 Entry { filename = "lltd-discovery.nse", categories = { "broadcast", "discovery", "safe", } }
 Entry { filename = "maxdb-info.nse", categories = { "default", "version", } }
+Entry { filename = "mcafee-epo-agent.nse", categories = { "safe", "version", } }
 Entry { filename = "membase-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "membase-http-info.nse", categories = { "discovery", "safe", } }
 Entry { filename = "memcached-info.nse", categories = { "discovery", "safe", } }
+Entry { filename = "metasploit-msgrpc-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "metasploit-xmlrpc-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "mmouse-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "mmouse-exec.nse", categories = { "intrusive", } }