diff --git a/CHANGELOG b/CHANGELOG index 33158b04d..edf869f4b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added pcanywhere-brute script which bruteforces pcAnywhere server + for valid logins. [Aleksandar Nikolic] + o [NSE] Added http-rfi-spider script that spiders webservers in search of remote file inclusion vulnerabilities. [Piotr Olma] diff --git a/scripts/pcanywhere-brute.nse b/scripts/pcanywhere-brute.nse new file mode 100644 index 000000000..555528aec --- /dev/null +++ b/scripts/pcanywhere-brute.nse @@ -0,0 +1,158 @@ +local brute = require "brute" +local creds = require "creds" +local nmap = require "nmap" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local bit = require "bit" +local bin = require "bin" +local table = require "table" +description = [[ +Performs password guessing against pcAnywhere. + +Due to certain limitations of the protocol, bruteforcing +is limited to single thread at a time. +After a valid login pair is guessed the script waits +some time until server becomes available again. + +]] + +--- +-- @usage +-- nmap --script=pcanywhere-brute +-- +-- @output +-- 5631/tcp open pcanywheredata syn-ack +-- | pcanywhere-brute: +-- | Accounts +-- | administrator:administrator - Valid credentials +-- | Statistics +-- |_ Performed 2 guesses in 55 seconds, average tps: 0 + + +author = "Aleksandar Nikolic" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"intrusive", "brute"} + + +portrule = shortport.port_or_service(5631, "pcanywheredata") + +local arg_timeout = stdnse.get_script_args(SCRIPT_NAME .. ".timeout") or 10 + +-- implements simple xor based encryption which the server expects +local function encrypt(data) + local result = {} + local xor_key = 0xab + local k = 0 + if data then + result[1] = bit.bxor(string.byte(data),xor_key) + for i = 2,string.len(data) do + result[i] = bit.bxor(result[i-1],string.byte(data,i),i-2) + end + end + return string.char(table.unpack(result)) +end + +local retry = false -- true means we found valid login and need to wait + +Driver = { + + new = function(self, host, port) + local o = {} + setmetatable(o, self) + self.__index = self + o.host = host + o.port = port + return o + end, + + connect = function( self ) + self.socket = nmap.new_socket() + local response + local err + local status = false + + stdnse.sleep(2) + -- when we hit a valid login pair, server enters some kind of locked state + -- so we need to wait for some time before trying next pair + -- variable "retry" signifies if we need to wait or this is just not pcAnywhere server + while not status do + status, err = self.socket:connect(self.host, self.port) + self.socket:set_timeout(tonumber(arg_timeout) * 1000) + if(not(status)) then + return false, brute.Error:new( "Couldn't connect to host: " .. err ) + end + status, err = self.socket:send(bin.pack("H","00000000")) --initial hello + status, response = self.socket:receive_bytes(0) + if not status and not retry then + break + end + stdnse.print_debug("in a loop") + stdnse.sleep(2) -- needs relatively big timeout between retries + end + if not status or string.find(response,"Please press ") == nil then + --probably not pcanywhere + stdnse.print_debug(1, "%s: not pcAnywhere", SCRIPT_NAME) + return false, brute.Error:new( "Probably not pcAnywhere." ) + end + retry = false + status, err = self.socket:send(bin.pack("H","6f06ff")) -- downgrade into legacy mode + status, response = self.socket:receive_bytes(0) + + status, err = self.socket:send(bin.pack("H","6f61000900fe0000ffff00000000")) -- auth capabilities I + status, response = self.socket:receive_bytes(0) + + status, err = self.socket:send(bin.pack("H","6f620102000000")) -- auth capabilities II + status, response = self.socket:receive_bytes(0) + if not status or (string.find(response,"Enter user name") == nil and string.find(response,"Enter login name") == nil) then + stdnse.print_debug(1, "%s: handshake failed", SCRIPT_NAME) + return false, brute.Error:new( "Handshake failed." ) + end + return true + end, + + login = function (self, user, pass) + local response + local err + local status + stdnse.print_debug( "Trying %s/%s ...", user, pass ) + -- send username and password + -- both are prefixed with 0x06, size and are encrypted + status, err = self.socket:send(bin.pack("C",0x06) .. bin.pack("C",string.len(user)) .. encrypt(user) ) -- send username + status, response = self.socket:receive_bytes(0) + if not status or string.find(response,"Enter password") == nil then + stdnse.print_debug(1, "%s: Sending username failed", SCRIPT_NAME) + return false, brute.Error:new( "Sending username failed." ) + end + -- send password + status, err = self.socket:send(bin.pack("C",0x06) .. bin.pack("C",string.len(pass)) .. encrypt(pass) ) -- send password + status, response = self.socket:receive_bytes(0) + if not status or string.find(response,"Login unsuccessful") or string.find(response,"Invalid login.")then + stdnse.print_debug(1, "%s: Incorrect username or password", SCRIPT_NAME) + return false, brute.Error:new( "Incorrect username or password." ) + end + + if status then + retry = true -- now the server is in "locked mode", we need to retry next connection a few times + return true, brute.Account:new( user, pass, creds.State.VALID) + end + return false,brute.Error:new( "Incorrect password" ) + end, + + disconnect = function( self ) + self.socket:close() + return true + end + +} + +action = function( host, port ) + + local status, result + local engine = brute.Engine:new(Driver, host, port) + engine.options.script_name = SCRIPT_NAME + engine.max_threads = 1 -- pcAnywhere supports only one login at a time + status, result = engine:start() + + return result +end diff --git a/scripts/script.db b/scripts/script.db index b802e6d86..e09bf1d44 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -279,6 +279,7 @@ Entry { filename = "oracle-sid-brute.nse", categories = { "brute", "intrusive", Entry { filename = "ovs-agent-version.nse", categories = { "version", } } Entry { filename = "p2p-conficker.nse", categories = { "default", "safe", } } Entry { filename = "path-mtu.nse", categories = { "discovery", "safe", } } +Entry { filename = "pcanywhere-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "pgsql-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "pjl-ready-message.nse", categories = { "intrusive", } } Entry { filename = "pop3-brute.nse", categories = { "brute", "intrusive", } }