o [NSE] Added scripts by Toni Ruotto communicating with the NetBus

remote administration/backdoor program. - netbus-info: gets configuration information. - netbus-brute: guesses passwords. - netbus-version: distinguishes NetBus from NetBuster, a program that mimics the protocol but doesn't actually allow any operations. - netbus-auth-bypass: Checks for a bug in the server that allows connecting without a password.
2026-01-04 13:49:03 +00:00 · 2010-12-13 18:00:02 +00:00
parent a7e80b4cf3
commit 90a2819a04
6 changed files with 329 additions and 0 deletions
--- a/scripts/netbus-info.nse
+++ b/scripts/netbus-info.nse
@@ -0,0 +1,166 @@
+description = [[
+Opens a connection to a NetBus server and extracts information about
+the host and the NetBus service itself.
+
+The extracted host information includes a list of running
+applications, and the hosts sound volume settings. 
+
+The extracted service information includes it's access control list
+(acl), server information, and setup. The acl is a list of IP
+addresses permitted to access the service. Server information
+contains details about the server installation path, restart
+persistence, user account that the server is running on, and the
+amount of connected NetBus clients. The setup information contains
+configuration details, such as the services TCP port number, traffic
+logging setting, password, an email address for receiving login
+notifications, an email address used for sending the notifications,
+and an smtp-server used for notification delivery.
+]]
+
+---
+-- @output
+-- 12345/tcp open  netbus
+-- | netbus-info:   
+-- |   ACL
+-- |     127.0.0.1
+-- |   APPLICATIONS
+-- |     PuTTY Configuration
+-- |   INFO
+-- |     Program Path: Z:\home\joeuser\Desktop\Patch.exe
+-- |     Restart persistent: Yes
+-- |     Login ID: joeuser
+-- |     Clients connected to this host: 1
+-- |   SETUP
+-- |     TCP-port: 12345
+-- |     Log traffic: 1
+-- |     Password: password123
+-- |     Notify to: admin@example.com
+-- |     Notify from: spoofed@example.org
+-- |     SMTP-server: smtp.example.net
+-- |   VOLUME
+-- |     Wave: 0
+-- |     Synth: 0
+-- |_    Cd: 0
+
+author = "Toni Ruottu"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"default", "discovery", "safe"}
+
+require("nmap")
+require("comm")
+require("stdnse")
+require("shortport")
+
+dependencies = {"netbus-version", "netbus-brute"}
+
+portrule = shortport.port_or_service (12345, "netbus", {"tcp"})
+
+local function format_acl(acl)
+	if acl == nil then
+		return {}
+	end
+	local payload = string.sub(acl, 9) --skip header
+	local fields = stdnse.strsplit("|", payload)
+	table.remove(fields, (# fields))
+	fields["name"] = "ACL"
+	return fields
+end
+
+local function format_apps(apps)
+	if apps == nil then
+		return {}
+	end
+	local payload = string.sub(apps, 10) --skip header
+	local fields = stdnse.strsplit("|", payload)
+	table.remove(fields, (# fields))
+	fields["name"] = "APPLICATIONS"
+	return fields
+end
+
+local function format_info(info)
+	if info == nil then
+		return {}
+	end
+	local payload = string.sub(info, 6) --skip header
+	local fields = stdnse.strsplit("|", payload)
+	fields["name"] = "INFO"
+	return fields
+end
+
+local function format_setup(setup)
+	local formatted = {}
+	if setup == nil then
+		return formatted
+	end
+	local fields = stdnse.strsplit(";", setup)
+	if # fields < 7 then
+		return formatted
+	end
+	formatted["name"] = "SETUP"
+	table.insert(formatted, string.format("TCP-port: %s", fields[2]))
+	table.insert(formatted, string.format("Log traffic: %s", fields[3]))
+	table.insert(formatted, string.format("Password: %s", fields[4]))
+	table.insert(formatted, string.format("Notify to: %s", fields[5]))
+	table.insert(formatted, string.format("Notify from: %s", fields[6]))
+	table.insert(formatted, string.format("SMTP-server: %s", fields[7]))
+	return formatted
+end
+
+local function format_volume(volume)
+	local formatted = {}
+	if volume == nil then
+		return formatted
+	end
+	local fields = stdnse.strsplit(";", volume)
+	if # fields < 4 then
+		return formatted
+	end
+	formatted["name"] = "VOLUME"
+	table.insert(formatted, string.format("Wave: %s", fields[2]))
+	table.insert(formatted, string.format("Synth: %s", fields[3]))
+	table.insert(formatted, string.format("Cd: %s", fields[4]))
+	return formatted
+end
+
+action = function( host, port )
+
+	local password = nmap.registry.netbuspassword
+	if password == nil then
+		password = ""		 
+	end
+
+	local socket = nmap.new_socket()
+	socket:set_timeout(5000)
+	local status, err = socket:connect(host.ip, port.number)
+	local buffer, err = stdnse.make_buffer(socket, "\r")
+	local _ = buffer()
+	socket:send(string.format("Password;1;%s\r", password))
+	local gotin = buffer()
+	if gotin == "Access;0" then
+		return
+	end
+
+	socket:send("GetInfo\r")
+	local info = buffer()
+	socket:send("GetSetup\r")
+	local setup = buffer()
+	socket:send("GetACL\r")
+	local acl = buffer()
+	socket:send("GetApps\r")
+	local apps = buffer()
+	socket:send("GetVolume\r")
+	local volume = buffer()
+	socket:close()
+
+	local response = {}
+	table.insert(response, "")
+	table.insert(response, format_acl(acl))
+	table.insert(response, format_apps(apps))
+	table.insert(response, format_info(info))
+	table.insert(response, format_setup(setup))
+	table.insert(response, format_volume(volume))
+
+	return stdnse.format_output(true, response)
+end
+
+