1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
local brute = require "brute"
local creds = require "creds"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local openssl = stdnse.silent_require "openssl"
description = [[
Performs brute force password auditing against an Nping Echo service.
See https://nmap.org/book/nping-man-echo-mode.html for Echo Mode
documentation.
]]
---
-- @usage
-- nmap -p 9929 --script nping-brute <target>
--
-- @output
-- 9929/tcp open nping-echo
-- | nping-brute:
-- | Accounts
-- | 123abc => Valid credentials
-- | Statistics
-- |_ Perfomed 204 guesses in 204 seconds, average tps: 1
author = "Toni Ruottu"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"brute", "intrusive"}
portrule = shortport.port_or_service(9929, "nping-echo")
local function readmessage(socket, length)
local msg = ""
while #msg < length do
local status, tmp = socket:receive_bytes(1)
if not status then
return nil
end
msg = msg .. tmp
end
return msg
end
Driver =
{
NEP_VERSION = 0x01,
AES_128_CBC = "aes-128-cbc",
SHA256 = "sha256",
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
return o
end,
nepkey = function(self, password, nonce, typeid)
local seed = password .. nonce .. typeid
local h = openssl.digest(self.SHA256, seed)
for i = 1, 1000 do
h = openssl.digest(self.SHA256, h)
end
return string.unpack("c16", h)
end,
getservernonce = function(self, serverhs)
local offset = 63 -- 63 bytes of header before the nonce
return serverhs:sub(offset+1, offset+4)
end,
chsbody = function(self)
local IP4 = "\x04"
local IP6 = "\x06"
local family = IP6
local target = self.host.bin_ip
if #target == 4 then
target = target .. ("\0"):rep(12)
family = IP4
end
return target .. family .. ("\0"):rep(15)
end,
clienths = function(self, snonce, password)
local NEP_HANDSHAKE_CLIENT = 0x02
local NEP_HANDSHAKE_CLIENT_LEN = 36
local NEP_CLIENT_CIPHER_ID = "NEPkeyforCiphertextClient2Server"
local NEP_CLIENT_MAC_ID = "NEPkeyforMACClient2Server"
local now = nmap.clock()
local seqb = openssl.rand_bytes(4)
local cnonce = openssl.rand_bytes(32)
local nonce = snonce .. cnonce
local enckey = self:nepkey(password, nonce, NEP_CLIENT_CIPHER_ID)
local mackey = self:nepkey(password, nonce, NEP_CLIENT_MAC_ID)
local iv = string.unpack("c16", cnonce)
local plain = self:chsbody()
local crypted = openssl.encrypt(self.AES_128_CBC, enckey, iv, plain)
local head = string.pack(">BB I2 c4 I4 x4", self.NEP_VERSION, NEP_HANDSHAKE_CLIENT, NEP_HANDSHAKE_CLIENT_LEN, seqb, now) .. nonce
local mac = openssl.hmac(self.SHA256, mackey, head .. plain)
return head .. crypted .. mac
end,
testpass = function(self, password)
local SERVERHS_LEN = 96
local FINALHS_LEN = 112
local serverhs = readmessage(self.socket, SERVERHS_LEN)
if serverhs == nil then
return false
end
local snonce = self:getservernonce(serverhs)
local response = self:clienths(snonce, password)
self.socket:send(response)
local finalhs = readmessage(self.socket, FINALHS_LEN)
if finalhs == nil then
return false
end
return true
end,
connect = function(self)
self.socket = brute.new_socket()
return self.socket:connect(self.host, self.port)
end,
login = function(self, _, password)
if self:testpass(password) then
return true, creds.Account:new("", password, creds.State.VALID)
end
return false, brute.Error:new("Incorrect password")
end,
disconnect = function(self)
return self.socket:close()
end,
}
action = function(host, port)
local engine = brute.Engine:new(Driver, host, port)
engine.options.firstonly = true
engine.options:setOption("passonly", true)
engine.options.script_name = SCRIPT_NAME
local status, result = engine:start()
return result
end
|
