File: nping-brute.nse

package info (click to toggle)
nmap 7.95%2Bdfsg-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, trixie
  • size: 44,792 kB
  • sloc: cpp: 61,081; ansic: 30,771; python: 17,344; xml: 11,550; sh: 11,400; perl: 2,687; makefile: 996; java: 45; objc: 45
file content (151 lines) | stat: -rw-r--r-- 4,098 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
 
local brute = require "brute"
local creds = require "creds"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"

local openssl = stdnse.silent_require "openssl"

description = [[
Performs brute force password auditing against an Nping Echo service.

See https://nmap.org/book/nping-man-echo-mode.html for Echo Mode
documentation.
]]

---
-- @usage
-- nmap -p 9929 --script nping-brute <target>
--
-- @output
-- 9929/tcp open  nping-echo
-- | nping-brute:
-- |   Accounts
-- |     123abc => Valid credentials
-- |   Statistics
-- |_    Perfomed 204 guesses in 204 seconds, average tps: 1

author = "Toni Ruottu"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"brute", "intrusive"}


portrule = shortport.port_or_service(9929, "nping-echo")

local function readmessage(socket, length)
  local msg = ""
  while #msg < length do
    local status, tmp = socket:receive_bytes(1)
    if not status then
      return nil
    end
    msg = msg .. tmp
  end
  return msg
end

Driver =
{
  NEP_VERSION = 0x01,
  AES_128_CBC = "aes-128-cbc",
  SHA256 = "sha256",

  new = function(self, host, port)
    local o = {}
    setmetatable(o, self)
    self.__index = self
    o.host = host
    o.port = port
    return o
  end,

  nepkey = function(self, password, nonce, typeid)
    local seed = password .. nonce .. typeid
    local h = openssl.digest(self.SHA256, seed)
    for i = 1, 1000 do
      h = openssl.digest(self.SHA256, h)
    end
    return string.unpack("c16", h)
  end,

  getservernonce = function(self, serverhs)
    local offset = 63 -- 63 bytes of header before the nonce
    return serverhs:sub(offset+1, offset+4)
  end,

  chsbody = function(self)
    local IP4 = "\x04"
    local IP6 = "\x06"
    local family = IP6
    local target = self.host.bin_ip
    if #target == 4 then
      target = target .. ("\0"):rep(12)
      family = IP4
    end
    return target .. family .. ("\0"):rep(15)
  end,

  clienths = function(self, snonce, password)
    local NEP_HANDSHAKE_CLIENT = 0x02
    local NEP_HANDSHAKE_CLIENT_LEN = 36
    local NEP_CLIENT_CIPHER_ID = "NEPkeyforCiphertextClient2Server"
    local NEP_CLIENT_MAC_ID = "NEPkeyforMACClient2Server"

    local now = nmap.clock()
    local seqb = openssl.rand_bytes(4)
    local cnonce = openssl.rand_bytes(32)
    local nonce = snonce .. cnonce
    local enckey = self:nepkey(password, nonce, NEP_CLIENT_CIPHER_ID)
    local mackey = self:nepkey(password, nonce, NEP_CLIENT_MAC_ID)
    local iv = string.unpack("c16", cnonce)
    local plain = self:chsbody()
    local crypted = openssl.encrypt(self.AES_128_CBC, enckey, iv, plain)
    local head = string.pack(">BB I2 c4 I4 x4", self.NEP_VERSION, NEP_HANDSHAKE_CLIENT, NEP_HANDSHAKE_CLIENT_LEN, seqb, now) .. nonce
    local mac = openssl.hmac(self.SHA256, mackey, head .. plain)

    return head .. crypted .. mac
  end,

  testpass = function(self, password)
    local SERVERHS_LEN = 96
    local FINALHS_LEN = 112
    local serverhs = readmessage(self.socket, SERVERHS_LEN)
    if serverhs == nil then
      return false
    end
    local snonce = self:getservernonce(serverhs)
    local response = self:clienths(snonce, password)
    self.socket:send(response)
    local finalhs = readmessage(self.socket, FINALHS_LEN)
    if finalhs == nil then
      return false
    end
    return true
  end,

  connect = function(self)
    self.socket = brute.new_socket()
    return self.socket:connect(self.host, self.port)
  end,

  login = function(self, _, password)
    if self:testpass(password) then
      return true, creds.Account:new("", password, creds.State.VALID)
    end
    return false, brute.Error:new("Incorrect password")
  end,

  disconnect = function(self)
    return self.socket:close()
  end,
}

action = function(host, port)
  local engine = brute.Engine:new(Driver, host, port)
  engine.options.firstonly = true
  engine.options:setOption("passonly", true)
  engine.options.script_name = SCRIPT_NAME
  local status, result = engine:start()
  return result
end