o [NSE] Added the library rpcap and the scripts rpcap-brute and rpcap-info

which perform brute force password guessing and extract information from the
  WinPcap Remote Packet Capture daemon. [Patrik]

scripts/rpcap-brute.nse

@@ -0,0 +1,92 @@
+description = [[
+Performs brute force password guessing against the WinPcap Remote Capture
+Daemon (rpcap).
+]]
+
+---
+-- @usage
+-- nmap -p 2002 <ip> --script rpcap-brute
+--
+-- @output
+-- PORT     STATE SERVICE REASON
+-- 2002/tcp open  globe   syn-ack
+-- | rpcap-brute: 
+-- |   Accounts
+-- |     monkey:Password1 - Valid credentials
+-- |   Statistics
+-- |_    Performed 3540 guesses in 3 seconds, average tps: 1180
+--
+--
+
+require 'brute'
+require 'rpcap'
+require 'shortport'
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "brute"}
+
+portrule = shortport.port_or_service(2002, "rpcap", "tcp")
+
+Driver = {
+	
+	new = function(self, host, port)
+		local o = { helper = rpcap.Helper:new(host, port) }
+		setmetatable(o, self)
+		self.__index = self
+		return o
+	end,
+	
+	connect = function(self)
+		return self.helper:connect()
+	end,
+	
+	login = function(self, username, password)
+		local status, resp = self.helper:login(username, password)
+		if ( status ) then
+			return true, brute.Account:new(username, password, creds.State.VALID)
+		end
+		return false, brute.Error:new( "Incorrect password" )
+	end,
+       	
+	disconnect = function(self)
+		return self.helper:close()
+	end,
+		
+}
+
+local function validateAuth(host, port)
+	local helper = rpcap.Helper:new(host, port)
+	local status, result = helper:connect()
+	if ( not(status) ) then
+		return false, result
+	end
+	status, result = helper:login()
+	helper:close()
+	
+	if ( status ) then
+		return false, "Authentication not required"
+	elseif ( not(status) and
+		"Authentication failed; NULL autentication not permitted." == result ) then
+		return true
+	end
+	return status, result
+end
+
+action = function(host, port)
+
+	local status, result = validateAuth(host, port)
+	if ( not(status) ) then
+		return result
+	end	
+	
+	local engine = brute.Engine:new(Driver, host, port )
+	
+	engine.options.script_name = SCRIPT_NAME
+	engine.options.firstonly = true
+	status, result = engine:start()
+
+	return result
+end
+
+

scripts/rpcap-info.nse

@@ -0,0 +1,90 @@
+description = [[
+Connect to the rpcap service, a service providing remote sniffing capabilities
+through WinPcap, and retrieves interface information. The service can either be
+setup to require authentication or not and also supports IP restrictions.
+]]
+
+---
+-- @usage
+-- nmap -p 2002 <ip> --script rpcap-info
+-- nmap -p 2002 <ip> --script rpcap-info --script-args="creds.rpcap='administrator:foobar'"
+--
+-- @output
+-- PORT     STATE SERVICE REASON
+-- 2002/tcp open  rpcap   syn-ack
+-- | rpcap-info: 
+-- |   \Device\NPF_{0D5D1364-1F1F-4892-8AC3-B838258F9BB8}
+-- |     Intel(R) PRO/1000 MT Desktop Adapter
+-- |     Addresses
+-- |         fe80:0:0:0:aabb:ccdd:eeff:0011
+-- |         192.168.1.127/24
+-- |   \Device\NPF_{D5EAD105-B0BA-4D38-ACB4-6E95512BC228}
+-- |     Hamachi Virtual Network Interface Driver
+-- |     Addresses
+-- |_        fe80:0:0:0:aabb:ccdd:eeff:0022
+--
+-- @args creds.rpcap username:password to use for authentication
+--
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discover", "safe"}
+dependencies = {"rpcap-brute"}
+
+require 'creds'
+require 'rpcap'
+require 'shortport'
+
+portrule = shortport.port_or_service(2002, "rpcap", "tcp")
+
+local function fail(err) return ("\n  ERROR: %s"):format(err or "") end
+
+local function getInfo(host, port, username, password)
+
+	local helper = rpcap.Helper:new(host, port)
+	local status, resp = helper:connect()
+	if ( not(status) ) then
+		return false, "Failed to connect to server"
+	end
+	status, resp = helper:login(username, password)
+		
+	if ( not(status) ) then
+		return false, resp
+	end
+
+	status, resp = helper:findAllInterfaces()
+	helper:close()
+	if ( not(status) ) then
+		return false, resp
+	end
+	
+	port.version.name = "rpcap"
+	port.version.product = "WinPcap remote packet capture daemon"
+	nmap.set_port_version(host, port, "hardmatched")
+	
+	return true, resp
+end
+
+action = function(host, port)
+
+	-- patch-up the service name, so creds.rpcap will work, ugly but needed as
+	-- tcp 2002 is registered to the globe service in nmap-services ...
+	port.service = "rpcap"
+	
+	local c = creds.Credentials:new(creds.ALL_DATA, host, port)
+	local states = creds.State.VALID + creds.State.PARAM
+	local status, resp = getInfo(host, port)
+	
+	if ( status ) then
+		return stdnse.format_output(true, resp)
+	end
+
+	for cred in c:getCredentials(states) do
+		status, resp = getInfo(host, port, cred.user, cred.pass)
+		if ( status ) then
+			return stdnse.format_output(true, resp)
+		end
+	end
+
+	return fail(resp)
+end

scripts/script.db

@@ -250,6 +250,8 @@ Entry { filename = "rexec-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "riak-http-info.nse", categories = { "discovery", "safe", } }
 Entry { filename = "rlogin-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "rmi-dumpregistry.nse", categories = { "default", "discovery", "safe", } }
+Entry { filename = "rpcap-brute.nse", categories = { "brute", "intrusive", } }
+Entry { filename = "rpcap-info.nse", categories = { "discover", "safe", } }
 Entry { filename = "rpcinfo.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "rsync-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "rsync-list-modules.nse", categories = { "discovery", "safe", } }