1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
|
local bits = require "bits"
local brute = require "brute"
local creds = require "creds"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
description = [[
Performs brute force password auditing against the BackOrifice service. The
<code>backorifice-brute.ports</code> script argument is mandatory (it specifies ports to run
the script against).
]]
---
-- @usage
-- nmap -sU --script backorifice-brute <host> --script-args backorifice-brute.ports=<ports>
--
-- @arg backorifice-brute.ports (mandatory) List of UDP ports to run the script against separated with "," ex. "U:31337,25252,151-222", "U:1024-1512"
--
-- This script uses the brute library to perform password guessing. A
-- successful password guess is stored in the nmap registry, under the
-- <code>nmap.registry.credentials.backorifice</code> table for other BackOrifice
-- scripts to use.
--
-- @output
-- PORT STATE SERVICE
-- 31337/udp open BackOrifice
-- | backorifice-brute:
-- | Accounts:
-- | michael => Valid credentials
-- | Statistics
-- |_ Perfomed 60023 guesses in 467 seconds, average tps: 138
--
-- Summary
-- -------
-- x The Driver class contains the driver implementation used by the brute
-- library
-- x The backorifice class contains the backorifice client implementation
--
author = "Gorjan Petrovski"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}
-- This portrule succeeds only when the open|filtered port is in the port range
-- which is specified by the ports script argument
portrule = function(host, port)
local ports = stdnse.get_script_args(SCRIPT_NAME .. ".ports")
if not ports then
stdnse.verbose1("Skipping '%s' %s, 'ports' argument is missing.",SCRIPT_NAME, SCRIPT_TYPE)
return false
end
-- ensure UDP
ports = ports:gsub("^[U:]*", "U:")
return port.protocol == "udp" and shortport.port_range(ports)(host, port) and
not(shortport.port_is_excluded(port.number,port.protocol))
end
local MAGICSTRING ="*!*QWTY?"
local backorifice =
{
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
return o
end,
--- Initializes the backorifice object
--
initialize = function(self)
--create socket
self.socket = nmap.new_socket("udp")
self.socket:set_timeout(self.host.times.timeout * 1000)
return true
end,
--- Attempts to send an encrypted PING packet to BackOrifice service
--
-- @param password string containing password for encryption
-- @param initial_seed number containing initial encryption seed
-- @return status, true on success, false on failure
-- @return err string containing error message on failure
try_password = function(self, password, initial_seed)
--initialize BackOrifice PING packet: |MAGICSTRING|size|packetID|TYPE_PING|arg1|arg_separat|arg2|CRC/disregarded|
local PING_PACKET = MAGICSTRING .. string.pack("<I4 I4 B zz", 19, 0, 1, "", "")
local seed, status, response, encrypted_ping
if not(initial_seed) then
seed = self:gen_initial_seed(password)
else
seed = initial_seed
end
encrypted_ping = self:BOcrypt(PING_PACKET,seed)
status, response = self.socket:sendto(self.host, self.port, encrypted_ping)
if not(status) then
return false, response
end
status, response = self.socket:receive()
-- The first 8 bytes of both response and sent data are
-- magicstring = "*!*QWTY?", without the quotes, and since
-- both are encrypted with the same initial seed, this is
-- how we verify we are talking to a BackOrifice service.
-- The statement is optimized so as not to decrypt unless
-- comparison of encrypted magicstrings succeeds
if status and response:sub(1,8) == encrypted_ping:sub(1,8)
and self:BOcrypt(response,seed):match("!PONG!(1%.20)!.*!") then
local BOversion, BOhostname = self:BOcrypt(response,seed):match("!PONG!(1%.20)!(.*)!")
self:insert_version_info(BOversion,BOhostname,nil,password)
return true
else
if not(status) then
return false, response
else
return false,"Response not recognized."
end
end
end,
--- Close the socket
--
-- @return status true on success, false on failure
close = function(self)
return self.socket:close()
end,
--- Generates the initial encryption seed from a password
--
-- @param password string containing password
-- @return seed number containing initial seed
gen_initial_seed = function(self, password)
if password == nil then
return 31337
else
local y = #password
local z = 0
for x = 1,y do
local pchar = string.byte(password,x)
z = z + pchar
end
for x=1,y do
local pchar = string.byte(password,x)
if (x-1)%2 == 1 then
z = z - (pchar * (y-(x-1)+1))
else
z = z + (pchar * (y-(x-1)+1))
end
z = z % 0x7fffffff
end
z = (z*y) % 0x7fffffff
return z
end
end,
--- Generates next encryption seed from given seed
--
-- @param seed number containing current seed
-- @return seed number containing next seed
gen_next_seed = function(self, seed)
seed = seed*214013 + 2531011
seed = seed & 0xffffff
return seed
end,
--- Encrypts/decrypts data using BackOrifice algorithm
--
-- @param data binary string containing data to be encrypted/decrypted
-- @param initial_seed number containing initial encryption seed
-- @return data binary string containing encrypted/decrypted data
BOcrypt = function(self, data, initial_seed )
if data==nil then return end
local output = {}
local seed = initial_seed
for i = 1, #data do
local data_byte = string.byte(data,i)
--calculate next seed
seed = self:gen_next_seed(seed)
--calculate encryption key based on seed
local key = bits.arshift(seed,16) & 0xff
local crypto_byte = data_byte ~ key
output[i] = string.char(crypto_byte)
if i == 256 then break end --ARGSIZE limitation
end
return table.concat(output, "")
end,
insert_version_info = function(self,BOversion,BOhostname,initial_seed,password)
if not self.port.version then self.port.version={} end
if not self.port.version.name then
self.port.version.name ="BackOrifice"
self.port.version.name_confidence = 10
end
if not self.port.version.product then self.port.version.product ="BackOrifice trojan" end
if not self.port.version.version then self.port.version.version = BOversion end
if not self.port.version.extrainfo then
if not password then
if not initial_seed then
self.port.version.extrainfo = "no password"
else
self.port.version.extrainfo = "initial encryption seed="..initial_seed
end
else
self.port.version.extrainfo = "password="..password
end
end
self.port.version.hostname = BOhostname
if not self.port.version.ostype then self.port.version.ostype = "Windows" end
nmap.set_port_version(self.host, self.port)
nmap.set_port_state(self.host,self.port,"open")
end
}
local Driver =
{
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
return o
end,
connect=function(self)
--only initialize since BackOrifice service knows no connect()
self.bo = backorifice:new(self.host,self.port)
self.bo:initialize()
return true
end,
disconnect = function( self )
self.bo:close()
end,
--- Attempts to send encrypted PING packet to BackOrifice service
--
-- @param username string containing username which is disregarded
-- @param password string containing login password
-- @return brute.Error object on failure
-- creds.Account object on success
login = function( self, username, password )
local status, msg = self.bo:try_password(password,nil)
if status then
if not(nmap.registry['credentials']) then
nmap.registry['credentials']={}
end
if ( not( nmap.registry.credentials['backorifice'] ) ) then
nmap.registry.credentials['backorifice'] = {}
end
table.insert( nmap.registry.credentials.backorifice, { password = password } )
return true, creds.Account:new("", password, creds.State.VALID)
else
-- The only indication that the password is incorrect is a timeout
local err = brute.Error:new( "Incorrect password" )
err:setRetry(false)
return false, err
end
end,
}
action = function( host, port )
local status, result
local engine = brute.Engine:new(Driver,host,port)
engine.options.firstonly = true
engine.options.passonly = true
engine.options.script_name = SCRIPT_NAME
status, result = engine:start()
return result
end
|