diff options
Diffstat (limited to '')
-rw-r--r-- | scripts/metasploit-msgrpc-brute.nse | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/scripts/metasploit-msgrpc-brute.nse b/scripts/metasploit-msgrpc-brute.nse new file mode 100644 index 0000000..555d439 --- /dev/null +++ b/scripts/metasploit-msgrpc-brute.nse @@ -0,0 +1,110 @@ +local brute = require "brute" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local http = require "http" +local creds = require "creds" + +description = [[ +Performs brute force username and password auditing against +Metasploit msgrpc interface. + +]] + +--- +-- @usage +-- nmap --script metasploit-msgrpc-brute -p 55553 <host> +-- +-- This script uses brute library to perform password +-- guessing against Metasploit's msgrpc interface. +-- +-- +-- @output +-- PORT STATE SERVICE REASON +-- 55553/tcp open unknown syn-ack +-- | metasploit-msgrpc-brute: +-- | Accounts +-- | root:root - Valid credentials +-- | Statistics +-- |_ Performed 10 guesses in 10 seconds, average tps: 1 + + + +author = "Aleksandar Nikolic" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"intrusive", "brute"} + +portrule = shortport.port_or_service(55553,"metasploit-msgrpc") + + +-- returns a "prefix" that msgpack uses for strings +local get_prefix = function(data) + if #data <= 31 then + return string.pack("B", 0xa0 + #data) + else + return "\xda" .. string.pack(">I2", #data) + end +end + +-- simple function that implements basic msgpack encoding we need for this script +-- see http://wiki.msgpack.org/display/MSGPACK/Format+specification for more +local encode = function(username, password) + return "\x93\xaaauth.login" .. get_prefix(username) .. username .. get_prefix(password) .. password +end + +Driver = { + + new = function(self, host, port) + local o = {} + setmetatable(o, self) + self.__index = self + o.host = host + o.port = port + return o + end, + + -- as we are using http methods, no need for connect and disconnect + -- this might cause a problem as in other scripts that don't have explicit connect + -- as there is no way to "reserve" a socket + connect = function( self ) + return true + end, + + login = function (self, user, pass) + local data + local options = { + header = { + ["Content-Type"] = "binary/message-pack" + } + } + stdnse.debug1( "Trying %s/%s ...", user, pass ) + data = http.post(self.host,self.port, "/api/",options, nil , encode(user,pass)) + if data and data.status and tostring( data.status ):match( "200" ) then + if string.find(data.body,"success") then + return true, creds.Account:new( user, pass, creds.State.VALID) + else + return false, brute.Error:new( "Incorrect username or password" ) + end + end + local err = brute.Error:new("Login didn't return a proper response") + err:setRetry( true ) + return false, err + end, + + disconnect = function( self ) + return true + end +} + +action = function( host, port ) + + local status, result + local engine = brute.Engine:new(Driver, host, port) + engine.options.script_name = SCRIPT_NAME + engine.options.firstonly = true + engine.max_threads = 3 + engine.max_retries = 10 + status, result = engine:start() + + return result +end |