1 files changed, 110 insertions, 0 deletions
diff --git a/scripts/metasploit-msgrpc-brute.nse b/scripts/metasploit-msgrpc-brute.nse
new file mode 100644
index 0000000..555d439
--- /dev/null
+++ b/scripts/metasploit-msgrpc-brute.nse
@@ -0,0 +1,110 @@
+local brute = require "brute"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local http = require "http"
+local creds = require "creds"
+
+description = [[
+Performs brute force username and password auditing against
+Metasploit msgrpc interface.
+
+]]
+
+---
+-- @usage
+-- nmap --script metasploit-msgrpc-brute -p 55553 <host>
+--
+-- This script uses brute library to perform password
+-- guessing against Metasploit's msgrpc interface.
+--
+--
+-- @output
+-- PORT      STATE SERVICE REASON
+-- 55553/tcp open  unknown syn-ack
+-- | metasploit-msgrpc-brute:
+-- |   Accounts
+-- |     root:root - Valid credentials
+-- |   Statistics
+-- |_    Performed 10 guesses in 10 seconds, average tps: 1
+
+
+
+author = "Aleksandar Nikolic"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"intrusive", "brute"}
+
+portrule = shortport.port_or_service(55553,"metasploit-msgrpc")
+
+
+-- returns a "prefix" that msgpack uses for strings
+local get_prefix = function(data)
+  if #data <= 31 then
+    return string.pack("B", 0xa0 + #data)
+  else
+    return "\xda"  .. string.pack(">I2", #data)
+  end
+end
+
+-- simple function that implements basic msgpack encoding we need for this script
+-- see http://wiki.msgpack.org/display/MSGPACK/Format+specification for more
+local encode = function(username, password)
+  return "\x93\xaaauth.login" .. get_prefix(username) .. username .. get_prefix(password) .. password
+end
+
+Driver = {
+
+  new = function(self, host, port)
+    local o = {}
+    setmetatable(o, self)
+    self.__index = self
+    o.host = host
+    o.port = port
+    return o
+  end,
+
+  -- as we are using http methods, no need for connect and disconnect
+  -- this might cause a problem as in other scripts that don't have explicit connect
+  -- as there is no way to "reserve" a socket
+  connect = function( self )
+    return true
+  end,
+
+  login = function (self, user, pass)
+    local data
+    local options = {
+      header = {
+        ["Content-Type"] = "binary/message-pack"
+      }
+    }
+    stdnse.debug1( "Trying %s/%s ...", user, pass )
+    data = http.post(self.host,self.port, "/api/",options, nil , encode(user,pass))
+    if data and data.status and tostring( data.status ):match( "200" )  then
+      if string.find(data.body,"success") then
+        return true, creds.Account:new( user, pass, creds.State.VALID)
+      else
+        return false,  brute.Error:new( "Incorrect username or password" )
+      end
+    end
+    local err = brute.Error:new("Login didn't return a proper response")
+    err:setRetry( true )
+    return false, err
+  end,
+
+  disconnect = function( self )
+    return true
+  end
+}
+
+action = function( host, port )
+
+  local status, result
+  local engine = brute.Engine:new(Driver, host, port)
+  engine.options.script_name = SCRIPT_NAME
+  engine.options.firstonly = true
+  engine.max_threads = 3
+  engine.max_retries = 10
+  status, result = engine:start()
+
+  return result
+end