1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
|
--- A XMPP (Jabber) library, implementing a minimal subset of the protocol
-- enough to do authentication brute-force.
--
-- The XML parsing of tags isn't optimal but there's no other easy way
-- (nulls or line-feeds) to match the end of a message. The parse_tag
-- method in the XML class was borrowed from the initial xmpp.nse
-- script written by Vasiliy Kulikov.
--
-- The library consist of the following classes:
-- * <code>XML</code> - containing a minimal XML parser written by
-- Vasiliy Kulikov.
-- * <code>TagProcessor</code> - Contains processing code for common tags
-- * <code>XMPP</code> - containing the low-level functions used to
-- communicate with the Jabber server.
-- * <code>Helper</code> - containing the main interface for script
-- writers
--
-- The following sample illustrates how to use the library to authenticate
-- to a XMPP sever:
-- <code>
-- local helper = xmpp.Helper:new(host, port, options)
-- local status, err = helper:connect()
-- status, err = helper:login(user, pass, "DIGEST-MD5")
-- </code>
--
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
-- @author Patrik Karlsson <patrik@cqure.net>
-- Version 0.2
-- Created 07/19/2011 - v0.1 - Created by Patrik Karlsson
-- Revised 07/22/2011 - v0.2 - Added TagProcessors and two new auth mechs:
-- CRAM-MD5 and LOGIN <patrik@cqure.net>
local base64 = require "base64"
local match = require "match"
local nmap = require "nmap"
local sasl = require "sasl"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
_ENV = stdnse.module("xmpp", stdnse.seeall)
-- This is a trivial XML processor written by Vasiliy Kulikov. It doesn't
-- fully support XML, but it should be sufficient for the basic XMPP
-- stream handshake. If you see stanzas with uncommon symbols, feel
-- free to enhance these regexps.
XML = {
---XML tag table
--@class table
--@name XML.tag
--@field name The tag name
--@field attrs The tag attributes as a key-value table
--@field start True if this was an opening tag.
--@field contents The contents of the tag
--@field finish true if the tag was closed.
---Parse an XML tag
--@name XML.parse_tag
--@param s String containing the XML tag
--@return XML tag table
--@see XML.tag
parse_tag = function(s)
local _, _, contents, empty, name = string.find(s, "([^<]*)<(/?)([?:%w-]+)")
local attrs = {}
if not name then
return
end
for k, v in string.gmatch(s, "%s([%w:]+)='([^']+)'") do
attrs[k] = v
end
for k, v in string.gmatch(s, "%s([%w:]+)=\"([^\"]+)\"") do
attrs[k] = v
end
local finish = (empty ~= "") or (s:sub(#s-1) == '/>')
return { name = name,
attrs = attrs,
start = (empty == ""),
contents = contents,
finish = finish }
end,
}
TagProcessor = {
["failure"] = function(socket, tag)
return TagProcessor["success"](socket,tag)
end,
["success"] = function(socket, tag)
if ( tag.finish ) then return true end
local newtag
repeat
local status, data = socket:receive_buf(match.pattern_limit(">", 2048), true)
if ( not(status) ) then
return false, ("ERROR: Failed to process %s tag"):format(tag.name)
end
newtag = XML.parse_tag(data)
until( newtag.finish and newtag.name == tag.name )
if ( newtag.name == tag.name ) then return true, tag end
return false, ("ERROR: Failed to process %s tag"):format(tag.name)
end,
["challenge"] = function(socket, tag)
local status, data = socket:receive_buf(match.pattern_limit(">", 2048), true)
if ( not(status) ) then return false, "ERROR: Failed to read challenge tag" end
local tag = XML.parse_tag(data)
if ( not(status) or tag.name ~= "challenge" ) then
return false, "ERROR: Failed to process challenge"
end
return status, (tag.contents and base64.dec(tag.contents))
end,
}
XMPP = {
--- Creates a new instance of the XMPP class
--
-- @name XMPP.new
-- @param host table as received by the action function
-- @param port table as received by the action function
-- @param options table containing options, currently supported
-- * <code>timeout</code> - sets the socket timeout
-- * <code>servername</code> - sets the server name to use in
-- communication with the server.
-- * <code>starttls</code> - start TLS handshake even if it is optional.
new = function(self, host, port, options)
local o = { host = host,
port = port,
options = options or {},
auth = { mechs = {} } }
o.options.timeout = o.options.timeout and o.options.timeout or 10
o.servername = stdnse.get_hostname(host) or o.options.servername
setmetatable(o, self)
self.__index = self
return o
end,
--- Sends data to XMPP server
-- @name XMPP.send
-- @param data string containing data to send to server
-- @return status true on success false on failure
-- @return err string containing error message
send = function(self, data)
-- this ain't pretty, but we try to "flush" what's left of the receive
-- buffer, prior to send. This way we account for not reading to the
-- end of one message resulting in the next read reading from our
-- previous message.
self.socket:set_timeout(1)
repeat
local status = self.socket:receive_buf("\0", false)
until(not(status))
self.socket:set_timeout(self.options.timeout * 1000)
return self.socket:send(data)
end,
--- Receives a XML tag from the server
--
-- @name XMPP.receive_tag
-- @param tag [optional] if unset, receives the next available tag
-- if set, reads until the given tag has been found
-- @param close [optional] if set, matches a closing tag
-- @return true on success, false on error
-- @return The XML tag table, or error message
-- @see XML.tag
receive_tag = function(self, tag, close)
local result
repeat
local status, data = self.socket:receive_buf(match.pattern_limit(">", 2048), true)
if ( not(status) ) then return false, data end
result = XML.parse_tag(data)
until( ( not(tag) and (close == nil or result.finish == close ) ) or
( tag == result.name and ( close == nil or result.finish == close ) ) )
return true, result
end,
--- Connects to the XMPP server
-- @name XMPP.connect
-- @return status true on success, false on failure
-- @return err string containing an error message if status is false
connect = function(self, socket)
assert(self.servername,
"Cannot connect to XMPP server without valid server name")
-- we may be reconnecting using SSL
if ( not(self.socket) ) then
self.socket = socket or nmap.new_socket()
self.socket:set_timeout(self.options.timeout * 1000)
local status, err = self.socket:connect(self.host, self.port)
if ( not(status) ) then
return false, err
end
end
local data = ("<?xml version='1.0' ?><stream:stream to='%s' xmlns='jabber:client'" ..
" xmlns:stream='http://etherx.jabber.org/streams'" ..
" version='1.0'>"):format(self.servername)
local status, err = self:send(data)
if ( not(status) ) then return false, "ERROR: Failed to connect to server" end
local version, start_tls
repeat
local status, tag = self:receive_tag()
if ( not(status) ) then return false, "ERROR: Failed to connect to server" end
if ( tag.name == "stream:stream" ) then
version = tag.attrs and tag.attrs.version
elseif ( tag.name == "starttls" and tag.start ) then
status, tag = self:receive_tag()
if ( not(status) ) then
return false, "ERROR: Failed to connect to server"
end
if ( tag.name ~= "starttls" ) then
start_tls = tag.name
else
start_tls = "optional"
end
elseif ( tag.name == "mechanism" and tag.finish ) then
self.auth.mechs[tag.contents] = true
end
until(tag.name == "stream:features" and tag.finish)
if ( version ~= "1.0" ) then
return false, "ERROR: Only version 1.0 is supported"
end
if ( start_tls == "required" or self.options.starttls) then
status, err = self:send("<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>")
if ( not(status) ) then return false, "ERROR: Failed to initiate STARTTLS" end
local status, tag = self:receive_tag()
if ( not(status) ) then return false, "ERROR: Failed to receive from server" end
if ( tag.name == "proceed" ) then
status, err = self.socket:reconnect_ssl()
self.options.starttls = false
return self:connect()
end
end
return true
end,
--- Logs in to the XMPP server
--
-- @name XMPP.login
-- @param username string
-- @param password string
-- @param mech string containing a supported authentication mechanism
-- @return status true on success, false on failure
-- @return err string containing error message if status is false
login = function(self, username, password, mech)
assert(mech == "PLAIN" or
mech == "DIGEST-MD5" or
mech == "CRAM-MD5" or
mech == "LOGIN",
"Unsupported authentication mechanism")
local auth = ("<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' " ..
"mechanism='%s'/>"):format(mech)
-- we currently don't do anything with the realm
local realm
-- we need to cut the @domain.tld from the username
if ( username:match("@") ) then
username, realm = username:match("^(.*)@(.*)$")
end
local status, result
if ( mech == "PLAIN" ) then
local mech_params = { username, password }
local auth_data = sasl.Helper:new(mech):encode(table.unpack(mech_params))
auth = ("<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' " ..
"mechanism='%s'>%s</auth>"):format(mech, base64.enc(auth_data))
status, result = self.socket:send(auth)
if ( not(status) ) then return false, "ERROR: Failed to send SASL PLAIN authentication" end
status, result = self:receive_tag()
if ( not(status) ) then return false, "ERROR: Failed to receive login response" end
if ( result.name == "failure" ) then
status = TagProcessor[result.name](self.socket, result)
end
else
local status, err = self.socket:send(auth)
if(not(status)) then return false, "ERROR: Failed to initiate SASL login" end
local chall
status, result = self:receive_tag()
if ( not(status) ) then return false, "ERROR: Failed to retrieve challenge" end
status, chall = TagProcessor[result.name](self.socket, result)
if ( mech == "LOGIN" ) then
if ( chall ~= "User Name" ) then
return false, ("ERROR: Login expected 'User Name' received: %s"):format(chall)
end
self.socket:send("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>" ..
base64.enc(username) ..
"</response>")
status, result = self:receive_tag()
if ( not(status) or result.name ~= "challenge") then
return false, "ERROR: Receiving tag from server"
end
status, chall = TagProcessor[result.name](self.socket, result)
if ( chall ~= "Password" ) then
return false, ("ERROR: Login expected 'Password' received: %s"):format(chall)
end
self.socket:send("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>" ..
base64.enc(password) ..
"</response>")
status, result = self:receive_tag()
if ( not(status) ) then return false, "ERROR: Failed to receive login challenge" end
if ( result.name == "failure" ) then
status = TagProcessor[result.name](self.socket, result)
return false, "Login failed"
end
else
local mech_params = { username, password, chall, "xmpp", "xmpp/" .. self.servername }
local auth_data = sasl.Helper:new(mech):encode(table.unpack(mech_params))
auth_data = "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>" ..
base64.enc(auth_data) .. "</response>"
status, err = self.socket:send(auth_data)
-- read to the end tag regardless of what it is
-- it should be one of either: success, challenge or error
repeat
status, result = self:receive_tag()
if ( not(status) ) then return false, "ERROR: Failed to receive login challenge" end
if ( result.name == "failure" ) then
status = TagProcessor[result.name](self.socket, result)
return false, "Login failed"
elseif ( result.name == "success" ) then
status = TagProcessor[result.name](self.socket, result)
if ( not(status) ) then return false, "Failed to process success message" end
return true, "Login success"
elseif ( result.name ~= "challenge" ) then
return false, "ERROR: Failed to receive login challenge"
end
until( result.name == "challenge" and result.finish )
if ( result.name == "challenge" and mech == "DIGEST-MD5" ) then
status, result = self.socket:send("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>")
if ( not(status) ) then return false, "ERROR: Failed to send DIGEST-MD5 request" end
status, result = self:receive_tag()
if ( not(status) ) then return false, "ERROR: Failed to receive DIGEST-MD5 response" end
end
end
end
if ( result.name == "success" ) then
return true, "Login success"
end
return false, "Login failed"
end,
--- Retrieves the available authentication mechanisms
-- @name XMPP.getAuthMechs
-- @return table containing all available authentication mechanisms
getAuthMechs = function(self) return self.auth.mechs end,
--- Disconnects the socket from the server
-- @name XMPP.disconnect
-- @return status true on success, false on failure
-- @return error message if status is false
disconnect = function(self)
local status, err = self.socket:close()
self.socket = nil
return status, err
end,
}
Helper = {
--- Creates a new Helper instance
-- @name Helper.new
-- @param host table as received by the action function
-- @param port table as received by the action function
-- @param options table containing options, currently supported
-- * <code>timeout</code> - sets the socket timeout
-- * <code>servername</code> - sets the server name to use in
-- communication with the server.
new = function(self, host, port, options)
local o = { host = host,
port = port,
options = options or {},
xmpp = XMPP:new(host, port, options),
state = "" }
setmetatable(o, self)
self.__index = self
return o
end,
--- Connects to the XMPP server and starts the initial communication
-- @name Helper.connect
-- @return status true on success, false on failure
-- @return err string containing an error message is status is false
connect = function(self, socket)
if ( not(self.host.targetname) and
not(self.options.servername) ) then
return false, "ERROR: Cannot connect to XMPP server without valid server name"
end
self.state = "CONNECTED"
return self.xmpp:connect(socket)
end,
--- Login to the XMPP server
--
-- @name Helper.login
-- @param username string
-- @param password string
-- @param mech string containing a supported authentication mechanism
-- @see Helper.getAuthMechs
-- @return status true on success, false on failure
-- @return err string containing error message if status is false
login = function(self, username, password, mech)
return self.xmpp:login(username, password, mech)
end,
--- Retrieves the available authentication mechanisms
-- @name Helper.getAuthMechs
-- @return table containing all available authentication mechanisms
getAuthMechs = function(self)
if ( self.state == "CONNECTED" ) then
return self.xmpp:getAuthMechs()
end
return
end,
--- Closes the connection to the server
-- @name Helper.close
close = function(self)
self.xmpp:disconnect()
self.state = "DISCONNECTED"
end,
}
return _ENV;
|
