1 files changed, 158 insertions, 0 deletions
diff --git a/scripts/pcanywhere-brute.nse b/scripts/pcanywhere-brute.nse
new file mode 100644
index 0000000..b85e85e
--- /dev/null
+++ b/scripts/pcanywhere-brute.nse
@@ -0,0 +1,158 @@
+local brute = require "brute"
+local creds = require "creds"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+description = [[
+Performs brute force password auditing against the pcAnywhere remote access protocol.
+
+Due to certain limitations of the protocol, bruteforcing
+is limited to single thread at a time.
+After a valid login pair is guessed the script waits
+some time until server becomes available again.
+
+]]
+
+---
+-- @usage
+-- nmap --script=pcanywhere-brute <target>
+--
+-- @output
+-- 5631/tcp open  pcanywheredata syn-ack
+-- | pcanywhere-brute:
+-- |   Accounts
+-- |     administrator:administrator - Valid credentials
+-- |   Statistics
+-- |_    Performed 2 guesses in 55 seconds, average tps: 0
+--
+-- @args pcanywhere-brute.timeout socket timeout for connecting to PCAnywhere (default 10s)
+
+
+author = "Aleksandar Nikolic"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"intrusive", "brute"}
+
+
+portrule = shortport.port_or_service(5631, "pcanywheredata")
+
+local arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout"))
+arg_timeout = (arg_timeout or 10) * 1000
+
+-- implements simple xor based encryption which the server expects
+local function encrypt(data)
+  local result = {}
+  local xor_key = 0xab
+  local k = 0
+  if data then
+    result[1] = string.byte(data) ~ xor_key
+    for i = 2,string.len(data) do
+      result[i] = result[i-1] ~ string.byte(data,i) ~ i-2
+    end
+  end
+  return string.char(table.unpack(result))
+end
+
+local retry = false -- true means we found valid login and need to wait
+
+Driver = {
+
+  new = function(self, host, port)
+    local o = {}
+    setmetatable(o, self)
+    self.__index = self
+    o.host = host
+    o.port = port
+    return o
+  end,
+
+  connect = function( self )
+    self.socket = brute.new_socket()
+    local response
+    local err
+    local status = false
+
+    stdnse.sleep(2)
+    -- when we hit a valid login pair, server enters some kind of locked state
+    -- so we need to wait for some time before trying next pair
+    -- variable "retry" signifies if we need to wait or this is just not pcAnywhere server
+    while not status do
+      status, err = self.socket:connect(self.host, self.port)
+      self.socket:set_timeout(arg_timeout)
+      if(not(status)) then
+        return false, brute.Error:new( "Couldn't connect to host: " .. err )
+      end
+      status, err = self.socket:send(stdnse.fromhex("00000000")) --initial hello
+      status, response = self.socket:receive_bytes(0)
+      if not status and not retry then
+        break
+      end
+      stdnse.debug1("in a loop")
+      stdnse.sleep(2) -- needs relatively big timeout between retries
+    end
+    if not status or string.find(response,"Please press <Enter>") == nil then
+      --probably not pcanywhere
+      stdnse.debug1("not pcAnywhere")
+      return false, brute.Error:new( "Probably not pcAnywhere." )
+    end
+    retry = false
+    status, err = self.socket:send(stdnse.fromhex("6f06ff")) -- downgrade into legacy mode
+    status, response = self.socket:receive_bytes(0)
+
+    status, err = self.socket:send(stdnse.fromhex("6f61000900fe0000ffff00000000")) -- auth capabilities I
+    status, response = self.socket:receive_bytes(0)
+
+    status, err = self.socket:send(stdnse.fromhex("6f620102000000")) -- auth capabilities II
+    status, response = self.socket:receive_bytes(0)
+    if not status or (string.find(response,"Enter user name") == nil and string.find(response,"Enter login name") == nil) then
+      stdnse.debug1("handshake failed")
+      return false, brute.Error:new( "Handshake failed." )
+    end
+    return true
+  end,
+
+  login = function (self, user, pass)
+    local response
+    local err
+    local status
+    stdnse.debug1( "Trying %s/%s ...", user, pass )
+    -- send username and password
+    -- both are prefixed with 0x06, size and are encrypted
+    status, err = self.socket:send("\x06" .. string.pack("s1", encrypt(user)) ) -- send username
+    status, response = self.socket:receive_bytes(0)
+    if not status or string.find(response,"Enter password") == nil then
+      stdnse.debug1("Sending username failed")
+      return false, brute.Error:new( "Sending username failed." )
+    end
+    -- send password
+    status, err = self.socket:send("\x06" .. string.pack("s1", encrypt(pass)) ) -- send password
+    status, response = self.socket:receive_bytes(0)
+    if not status or string.find(response,"Login unsuccessful") or string.find(response,"Invalid login.")then
+      stdnse.debug1("Incorrect username or password")
+      return false, brute.Error:new( "Incorrect username or password." )
+    end
+
+    if status then
+      retry = true -- now the server is in "locked mode", we need to retry next connection a few times
+      return true, creds.Account:new( user, pass, creds.State.VALID)
+    end
+    return false,brute.Error:new( "Incorrect password" )
+  end,
+
+  disconnect = function( self )
+    self.socket:close()
+    return true
+  end
+
+}
+
+action = function( host, port )
+
+  local status, result
+  local engine = brute.Engine:new(Driver, host, port)
+  engine.options.script_name = SCRIPT_NAME
+  engine.max_threads = 1 -- pcAnywhere supports only one login at a time
+  status, result = engine:start()
+
+  return result
+end