PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-10 09:49:05 +00:00
Code Issues Projects Releases Wiki Activity

Added pcanywhere-brute script

Browse Source
This commit is contained in:
aca
2012-06-18 18:16:50 +00:00
parent 5c2db9d06f
commit 7e47c6507d
3 changed files with 162 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG
View File

@@ -1,5 +1,8 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o [NSE] Added pcanywhere-brute script which bruteforces pcAnywhere server
for valid logins. [Aleksandar Nikolic]
o [NSE] Added http-rfi-spider script that spiders webservers in search of o [NSE] Added http-rfi-spider script that spiders webservers in search of
remote file inclusion vulnerabilities. [Piotr Olma] remote file inclusion vulnerabilities. [Piotr Olma]

158
scripts/pcanywhere-brute.nse Normal file
View File

@@ -0,0 +1,158 @@
local brute = require "brute"
local creds = require "creds"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local bit = require "bit"
local bin = require "bin"
local table = require "table"
description = [[
Performs password guessing against pcAnywhere.
Due to certain limitations of the protocol, bruteforcing
is limited to single thread at a time.
After a valid login pair is guessed the script waits
some time until server becomes available again.
]]
---
-- @usage
-- nmap --script=pcanywhere-brute <target>
--
-- @output
-- 5631/tcp open pcanywheredata syn-ack
-- | pcanywhere-brute:
-- | Accounts
-- | administrator:administrator - Valid credentials
-- | Statistics
-- |_ Performed 2 guesses in 55 seconds, average tps: 0
author = "Aleksandar Nikolic"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}
portrule = shortport.port_or_service(5631, "pcanywheredata")
local arg_timeout = stdnse.get_script_args(SCRIPT_NAME .. ".timeout") or 10
-- implements simple xor based encryption which the server expects
local function encrypt(data)
local result = {}
local xor_key = 0xab
local k = 0
if data then
result[1] = bit.bxor(string.byte(data),xor_key)
for i = 2,string.len(data) do
result[i] = bit.bxor(result[i-1],string.byte(data,i),i-2)
end
end
return string.char(table.unpack(result))
end
local retry = false -- true means we found valid login and need to wait
Driver = {
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
return o
end,
connect = function( self )
self.socket = nmap.new_socket()
local response
local err
local status = false
stdnse.sleep(2)
-- when we hit a valid login pair, server enters some kind of locked state
-- so we need to wait for some time before trying next pair
-- variable "retry" signifies if we need to wait or this is just not pcAnywhere server
while not status do
status, err = self.socket:connect(self.host, self.port)
self.socket:set_timeout(tonumber(arg_timeout) * 1000)
if(not(status)) then
return false, brute.Error:new( "Couldn't connect to host: " .. err )
end
status, err = self.socket:send(bin.pack("H","00000000")) --initial hello
status, response = self.socket:receive_bytes(0)
if not status and not retry then
break
end
stdnse.print_debug("in a loop")
stdnse.sleep(2) -- needs relatively big timeout between retries
end
if not status or string.find(response,"Please press <Enter>") == nil then
--probably not pcanywhere
stdnse.print_debug(1, "%s: not pcAnywhere", SCRIPT_NAME)
return false, brute.Error:new( "Probably not pcAnywhere." )
end
retry = false
status, err = self.socket:send(bin.pack("H","6f06ff")) -- downgrade into legacy mode
status, response = self.socket:receive_bytes(0)
status, err = self.socket:send(bin.pack("H","6f61000900fe0000ffff00000000")) -- auth capabilities I
status, response = self.socket:receive_bytes(0)
status, err = self.socket:send(bin.pack("H","6f620102000000")) -- auth capabilities II
status, response = self.socket:receive_bytes(0)
if not status or (string.find(response,"Enter user name") == nil and string.find(response,"Enter login name") == nil) then
stdnse.print_debug(1, "%s: handshake failed", SCRIPT_NAME)
return false, brute.Error:new( "Handshake failed." )
end
return true
end,
login = function (self, user, pass)
local response
local err
local status
stdnse.print_debug( "Trying %s/%s ...", user, pass )
-- send username and password
-- both are prefixed with 0x06, size and are encrypted
status, err = self.socket:send(bin.pack("C",0x06) .. bin.pack("C",string.len(user)) .. encrypt(user) ) -- send username
status, response = self.socket:receive_bytes(0)
if not status or string.find(response,"Enter password") == nil then
stdnse.print_debug(1, "%s: Sending username failed", SCRIPT_NAME)
return false, brute.Error:new( "Sending username failed." )
end
-- send password
status, err = self.socket:send(bin.pack("C",0x06) .. bin.pack("C",string.len(pass)) .. encrypt(pass) ) -- send password
status, response = self.socket:receive_bytes(0)
if not status or string.find(response,"Login unsuccessful") or string.find(response,"Invalid login.")then
stdnse.print_debug(1, "%s: Incorrect username or password", SCRIPT_NAME)
return false, brute.Error:new( "Incorrect username or password." )
end
if status then
retry = true -- now the server is in "locked mode", we need to retry next connection a few times
return true, brute.Account:new( user, pass, creds.State.VALID)
end
return false,brute.Error:new( "Incorrect password" )
end,
disconnect = function( self )
self.socket:close()
return true
end
}
action = function( host, port )
local status, result
local engine = brute.Engine:new(Driver, host, port)
engine.options.script_name = SCRIPT_NAME
engine.max_threads = 1 -- pcAnywhere supports only one login at a time
status, result = engine:start()
return result
end

1
scripts/script.db
View File

@@ -279,6 +279,7 @@ Entry { filename = "oracle-sid-brute.nse", categories = { "brute", "intrusive",
Entry { filename = "ovs-agent-version.nse", categories = { "version", } } Entry { filename = "ovs-agent-version.nse", categories = { "version", } }
Entry { filename = "p2p-conficker.nse", categories = { "default", "safe", } } Entry { filename = "p2p-conficker.nse", categories = { "default", "safe", } }
Entry { filename = "path-mtu.nse", categories = { "discovery", "safe", } } Entry { filename = "path-mtu.nse", categories = { "discovery", "safe", } }
Entry { filename = "pcanywhere-brute.nse", categories = { "brute", "intrusive", } }
Entry { filename = "pgsql-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "pgsql-brute.nse", categories = { "brute", "intrusive", } }
Entry { filename = "pjl-ready-message.nse", categories = { "intrusive", } } Entry { filename = "pjl-ready-message.nse", categories = { "intrusive", } }
Entry { filename = "pop3-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "pop3-brute.nse", categories = { "brute", "intrusive", } }