diff options
Diffstat (limited to 'scripts/dicom-brute.nse')
-rw-r--r-- | scripts/dicom-brute.nse | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/scripts/dicom-brute.nse b/scripts/dicom-brute.nse new file mode 100644 index 0000000..f6a1d84 --- /dev/null +++ b/scripts/dicom-brute.nse @@ -0,0 +1,80 @@ +description = [[ +Attempts to brute force the Application Entity Title of a DICOM server (DICOM Service Provider). + +Application Entity Titles (AET) are used to restrict responses only to clients knowing the title. Hence, + the called AET is used as a form of password. +]] + +--- +-- @usage nmap -p4242 --script dicom-brute <target> +-- @usage nmap -sV --script dicom-brute <target> +-- @usage nmap --script dicom-brute --script-args passdb=aets.txt <target> +-- +-- @output +-- PORT STATE SERVICE REASON +-- 4242/tcp open vrml-multi-use syn-ack +-- | dicom-brute: +-- | Accounts: +-- | Called Application Entity Title:ORTHANC - Valid credentials +-- |_ Statistics: Performed 5 guesses in 1 seconds, average tps: 5.0 +--- + +author = "Paulino Calderon <calderon()calderonpale.com>" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"auth", "brute"} + +local shortport = require "shortport" +local dicom = require "dicom" +local stdnse = require "stdnse" +local nmap = require "nmap" +local brute = require "brute" +local creds = require "creds" + +portrule = shortport.port_or_service({104, 2345, 2761, 2762, 4242, 11112}, "dicom", "tcp", "open") + +Driver = { + new = function(self, host, port) + local o = {} + setmetatable(o, self) + self.__index = self + o.host = host + o.port = port + o.passonly = true + return o + end, + + connect = function(self) + return true + end, + + disconnect = function(self) + end, + + login = function(self, username, password) + stdnse.debug2("Trying with called AE title:%s", password) + local dcm_conn, err = dicom.associate(self.host, self.port, nil, password) + if dcm_conn then + return true, creds.Account:new("Called Application Entity Title", password, creds.State.VALID) + else + return false, brute.Error:new("Incorrect AET") + end + + end, + check = function(self) + local dcm_conn, err = dicom.associate(self.host, self.port) + if dcm_conn then + return false, "DICOM SCU allows any AET" + end + return true + end +} + +action = function(host, port) + local engine = brute.Engine:new(Driver, host, port) + engine:setMaxThreads(5) + engine.options.script_name = SCRIPT_NAME + engine.options:setOption("passonly", true) + local status, result = engine:start() + + return result +end |