New script deluge-rpc-brute from Claudiu Perta

2025-12-09 14:11:29 +00:00 · 2017-09-18 17:10:59 +00:00
parent 310721fe2a
commit ce5bdd6762
3 changed files with 169 additions and 0 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 #s wa Nmap Changelog ($Id$); -*-text-*-

+o [NSE] deluge-rpc-brute performs brute-force credential testing against Deluge
+  BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
+
 o [GH#977] Improved DNS service version detection coverage and consistency
  by using data from a Project Sonar Internet wide survey. Numerouse false
  positives were removed and reliable softmatches added. Match lines for
--- a/scripts/deluge-rpc-brute.nse
+++ b/scripts/deluge-rpc-brute.nse
@@ -0,0 +1,165 @@
+local brute = require "brute"
+local bin = require "bin"
+local creds = require "creds"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+
+local have_zlib, zlib = pcall(require, "zlib")
+
+description = [[
+Performs brute force password auditing against the DelugeRPC daemon.
+]]
+
+---
+-- @usage
+-- nmap --script deluge-rpc-brute -p 58846 <host>
+--
+-- @output
+-- PORT      STATE SERVICE REASON  TTL
+-- 58846/tcp open  unknown syn-ack 0
+-- | deluge-rpc-brute:
+-- |   Accounts
+-- |     admin:default - Valid credentials
+-- |   Statistics
+-- |_    Performed 8 guesses in 1 seconds, average tps: 8
+
+author = "Claudiu Perta <claudiu.perta@gmail.com>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "brute"}
+
+portrule = shortport.port_or_service(58846, "deluge-rpc")
+
+-- Returns an rencoded login request with the given username and password.
+-- The format of the login command is the following:
+--
+-- ((0, 'daemon.login', ('username', 'password'), {}),)
+--
+-- This is inspired from deluge source code, in particular, see
+-- http://git.deluge-torrent.org/deluge/tree/deluge/rencode.py
+local rencoded_login_request = function(username, password)
+  local INT_POS_FIXED_START = 0
+  local INT_POS_FIXED_COUNT = 44
+
+  -- Dictionaries with length embedded in typecode.
+  local DICT_FIXED_START = 102
+  local DICT_FIXED_COUNT = 25
+
+  -- Strings with length embedded in typecode.
+  local STR_FIXED_START = 128
+  local STR_FIXED_COUNT = 64
+
+  -- Lists with length embedded in typecode.
+  local LIST_FIXED_START = 192
+  local LIST_FIXED_COUNT = 64
+
+  if #username > 0xff - STR_FIXED_START then
+    return nil, "Username too long"
+  elseif #password > 0xff - STR_FIXED_START then
+    return nil, "Password too long"
+  end
+
+  -- Encode the login request:
+  -- ((0, 'daemon.login', ('username', 'password'), {}),)
+  local request = bin.pack("CCCCACCACAC",
+    LIST_FIXED_START + 1,
+    LIST_FIXED_START + 4,
+    INT_POS_FIXED_START,
+    STR_FIXED_START + string.len("daemon.login"),
+    "daemon.login",
+    LIST_FIXED_START + 2,
+    STR_FIXED_START + string.len(username),
+    username,
+    STR_FIXED_START + string.len(password),
+    password,
+    DICT_FIXED_START
+  )
+  return request
+end
+
+Driver = {
+
+  new = function(self, host, port, invalid_users)
+    local o = {}
+    setmetatable(o, self)
+    self.__index = self
+    o.host = host
+    o.port = port
+    o.invalid_users = invalid_users
+    return o
+  end,
+
+  connect = function(self)
+    local status, err
+    self.socket = nmap.new_socket()
+    self.socket:set_timeout(
+      ((self.host.times and self.host.times.timeout) or 8) * 1000)
+
+    local status, err = self.socket:connect(self.host, self.port, "ssl")
+    if not status then
+      return false, brute.Error:new("Failed to connect to server")
+    end
+
+    return true
+  end,
+
+  disconnect = function(self)
+    self.socket:close()
+  end,
+
+  login = function(self, username, password)
+    if (self.invalid_users[username]) then
+      return false, brute.Error:new("Invalid user")
+    end
+
+    local request, err = rencoded_login_request(username, password)
+    if not request then
+      return false, brute.Error:new(err)
+    end
+    local status, err = self.socket:send(zlib.compress(request))
+
+    if not status then
+      return false, brute.Error:new("Login error")
+    end
+
+    local status, response = self.socket:receive()
+    if not status  then
+
+      return false, brute.Error:new("Login error")
+    end
+
+    response = zlib.decompress(response)
+    if response:match("BadLoginError") then
+      local error_message = "Login error"
+      if response:match("Username does not exist") then
+        self.invalid_users[username] = true
+        error_message = "Username not found"
+      elseif response:match("Password does not match") then
+        error_message = "Username not found"
+      end
+      return false, brute.Error:new(error_message)
+    end
+
+    return true, brute.Account:new(username, password, creds.State.VALID)
+  end,
+
+  check = function(self)
+    return true
+  end
+}
+
+action = function(host, port)
+
+  if not have_zlib then
+    return "Error: zlib required!"
+  end
+
+  local invalid_users = {}
+  local engine = brute.Engine:new(Driver, host, port, invalid_users)
+
+  engine.options.script_name = SCRIPT_NAME
+  local status, results = engine:start()
+
+  return results
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -81,6 +81,7 @@ Entry { filename = "cvs-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "daap-get-library.nse", categories = { "discovery", "safe", } }
 Entry { filename = "daytime.nse", categories = { "discovery", "safe", } }
 Entry { filename = "db2-das-info.nse", categories = { "discovery", "safe", "version", } }
+Entry { filename = "deluge-rpc-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "dhcp-discover.nse", categories = { "discovery", "safe", } }
 Entry { filename = "dict-info.nse", categories = { "discovery", "safe", } }
 Entry { filename = "distcc-cve2004-2687.nse", categories = { "exploit", "intrusive", "vuln", } }