File: dpap-brute.nse

package info (click to toggle)
nmap 7.95%2Bdfsg-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, trixie
  • size: 44,792 kB
  • sloc: cpp: 61,081; ansic: 30,771; python: 17,344; xml: 11,550; sh: 11,400; perl: 2,687; makefile: 996; java: 45; objc: 45
file content (127 lines) | stat: -rw-r--r-- 2,835 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
 
local base64 = require "base64"
local brute = require "brute"
local creds = require "creds"
local nmap = require "nmap"
local shortport = require "shortport"

description = [[
Performs brute force password auditing against an iPhoto Library.
]]


---
-- @usage
-- nmap --script dpap-brute -p 8770 <host>
--
-- @output
-- 8770/tcp open  apple-iphoto syn-ack
-- | dpap-brute:
-- |   Accounts
-- |     secret => Login correct
-- |   Statistics
-- |_    Perfomed 5007 guesses in 6 seconds, average tps: 834
--
--
-- Version 0.1
-- Created 24/01/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
--

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}


portrule = shortport.port_or_service(8770, "apple-iphoto")

Driver = {

  new = function(self, host, port)
    local o = {}
    setmetatable(o, self)
    self.__index = self
    o.host = host
    o.port = port
    return o
  end,

  connect = function( self )
    self.socket = brute.new_socket()
    self.socket:set_timeout(5000)
    return self.socket:connect(self.host, self.port, "tcp")
  end,

  login = function( self, username, password )
    local data = "GET dpap://%s:%d/login HTTP/1.1\r\n" ..
      "User-Agent: iPhoto/9.1.1  (Macintosh; N; PPC)\r\n" ..
      "Host: %s\r\n" ..
      "Authorization: Basic %s\r\n" ..
      "Client-DPAP-Version: 1.1\r\n" ..
      "\r\n\r\n"

    local c = base64.enc("nmap:" .. password)
    data = data:format( self.host.ip, self.port.number, self.host.ip, c )

    local status = self.socket:send( data )
    if ( not(status) ) then
      local err = brute.Error:new( "Failed to send data to DPAP server" )
      err:setRetry( true )
      return false, err
    end

    status, data = self.socket:receive()
    if ( not(status) ) then
      local err = brute.Error:new( "Failed to receive data from DPAP server" )
      err:setRetry( true )
      return false, err
    end

    if ( data:match("^HTTP/1.1 200 OK") ) then
      return true, creds.Account:new(username, password, creds.State.VALID)
    end

    return false, brute.Error:new( "Incorrect password" )
  end,

  disconnect = function( self )
    self.socket:close()
  end,

}

local function checkEmptyPassword(host, port)
  local d = Driver:new(host, port)
  local status = d:connect()

  if ( not(status) ) then
    return false
  end

  status = d:login("", "")
  d:disconnect()

  return status
end


action = function(host, port)

  if ( checkEmptyPassword(host, port) ) then
    return "Library has no password"
  end

  local status, result
  local engine = brute.Engine:new(Driver, host, port )

  engine.options.firstonly = true
  engine.options:setOption( "passonly", true )
  engine.options.script_name = SCRIPT_NAME

  status, result = engine:start()

  return result
end