summaryrefslogtreecommitdiffstats
path: root/scripts/pcanywhere-brute.nse
blob: b85e85e220b2edeb56c94ebc070d286aa1583149 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
local brute = require "brute"
local creds = require "creds"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
description = [[
Performs brute force password auditing against the pcAnywhere remote access protocol.

Due to certain limitations of the protocol, bruteforcing
is limited to single thread at a time.
After a valid login pair is guessed the script waits
some time until server becomes available again.

]]

---
-- @usage
-- nmap --script=pcanywhere-brute <target>
--
-- @output
-- 5631/tcp open  pcanywheredata syn-ack
-- | pcanywhere-brute:
-- |   Accounts
-- |     administrator:administrator - Valid credentials
-- |   Statistics
-- |_    Performed 2 guesses in 55 seconds, average tps: 0
--
-- @args pcanywhere-brute.timeout socket timeout for connecting to PCAnywhere (default 10s)


author = "Aleksandar Nikolic"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}


portrule = shortport.port_or_service(5631, "pcanywheredata")

local arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout"))
arg_timeout = (arg_timeout or 10) * 1000

-- implements simple xor based encryption which the server expects
local function encrypt(data)
  local result = {}
  local xor_key = 0xab
  local k = 0
  if data then
    result[1] = string.byte(data) ~ xor_key
    for i = 2,string.len(data) do
      result[i] = result[i-1] ~ string.byte(data,i) ~ i-2
    end
  end
  return string.char(table.unpack(result))
end

local retry = false -- true means we found valid login and need to wait

Driver = {

  new = function(self, host, port)
    local o = {}
    setmetatable(o, self)
    self.__index = self
    o.host = host
    o.port = port
    return o
  end,

  connect = function( self )
    self.socket = brute.new_socket()
    local response
    local err
    local status = false

    stdnse.sleep(2)
    -- when we hit a valid login pair, server enters some kind of locked state
    -- so we need to wait for some time before trying next pair
    -- variable "retry" signifies if we need to wait or this is just not pcAnywhere server
    while not status do
      status, err = self.socket:connect(self.host, self.port)
      self.socket:set_timeout(arg_timeout)
      if(not(status)) then
        return false, brute.Error:new( "Couldn't connect to host: " .. err )
      end
      status, err = self.socket:send(stdnse.fromhex("00000000")) --initial hello
      status, response = self.socket:receive_bytes(0)
      if not status and not retry then
        break
      end
      stdnse.debug1("in a loop")
      stdnse.sleep(2) -- needs relatively big timeout between retries
    end
    if not status or string.find(response,"Please press <Enter>") == nil then
      --probably not pcanywhere
      stdnse.debug1("not pcAnywhere")
      return false, brute.Error:new( "Probably not pcAnywhere." )
    end
    retry = false
    status, err = self.socket:send(stdnse.fromhex("6f06ff")) -- downgrade into legacy mode
    status, response = self.socket:receive_bytes(0)

    status, err = self.socket:send(stdnse.fromhex("6f61000900fe0000ffff00000000")) -- auth capabilities I
    status, response = self.socket:receive_bytes(0)

    status, err = self.socket:send(stdnse.fromhex("6f620102000000")) -- auth capabilities II
    status, response = self.socket:receive_bytes(0)
    if not status or (string.find(response,"Enter user name") == nil and string.find(response,"Enter login name") == nil) then
      stdnse.debug1("handshake failed")
      return false, brute.Error:new( "Handshake failed." )
    end
    return true
  end,

  login = function (self, user, pass)
    local response
    local err
    local status
    stdnse.debug1( "Trying %s/%s ...", user, pass )
    -- send username and password
    -- both are prefixed with 0x06, size and are encrypted
    status, err = self.socket:send("\x06" .. string.pack("s1", encrypt(user)) ) -- send username
    status, response = self.socket:receive_bytes(0)
    if not status or string.find(response,"Enter password") == nil then
      stdnse.debug1("Sending username failed")
      return false, brute.Error:new( "Sending username failed." )
    end
    -- send password
    status, err = self.socket:send("\x06" .. string.pack("s1", encrypt(pass)) ) -- send password
    status, response = self.socket:receive_bytes(0)
    if not status or string.find(response,"Login unsuccessful") or string.find(response,"Invalid login.")then
      stdnse.debug1("Incorrect username or password")
      return false, brute.Error:new( "Incorrect username or password." )
    end

    if status then
      retry = true -- now the server is in "locked mode", we need to retry next connection a few times
      return true, creds.Account:new( user, pass, creds.State.VALID)
    end
    return false,brute.Error:new( "Incorrect password" )
  end,

  disconnect = function( self )
    self.socket:close()
    return true
  end

}

action = function( host, port )

  local status, result
  local engine = brute.Engine:new(Driver, host, port)
  engine.options.script_name = SCRIPT_NAME
  engine.max_threads = 1 -- pcAnywhere supports only one login at a time
  status, result = engine:start()

  return result
end