Nmap Development mailing list archives

Re: DAAP script

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 23 Jan 2010 03:13:42 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 18 Jan 2010 22:20:22 +0100
Patrik Karlsson <patrik () cqure net> wrote:


I have created a DAAP script called daap-get-library. It attempts to
enumerate the library name, artists, albums and songs from a DAAP
server. Unfortunately it doesn't work with Apples iTunes post 7.0 due
to DAAP authentication [1], but I've successfully tested it against
the Firefly Media Server.

For sample output have a look here:
http://www.cqure.net/wp/2010/01/daap-script-for-nmap/

To download the script go here:
http://www.cqure.net/wp/nmap-scripts/

[1] http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol

//Patrik

--
Patrik Karlsson
http://www.cqure.net



Hi Patrik,

I suspect when you mean it doesn't work against iTunes post 7.0 is that
it returns:

NSE: 'daap-get-library' (thread: 0x2879220) against a.b.3.218:3689 threw an \
error!
./scripts/daap-get-library.nse:52: attempt to compare number with nil
stack traceback:
        ./scripts/daap-get-library.nse:52: in function 'getLibraryName'
        ./scripts/daap-get-library.nse:255: in function <./scripts/daap-get-lib\
rary.nse:253>
        (tail call): ?


I had ~500 hosts with the above error.  I looked at the code, it seems
just checking if the response is nil isn't enough.  You'll need to make
sure string.find() also doesn't return nil (and probably response.body
~= nil too).

Fortunately I also had a handful of hosts with actual results.  A few
just printed very limited results:

Scanned at 2010-01-23 02:55:53 UTC for 0s
PORT     STATE SERVICE    REASON
3689/tcp open  rendezvous syn-ack
| daap-get-library:
|_  Libname: Larry Sellers
Final times for host: srtt: 2730 rttvar: 5000  to: 50000

Or:

Scanned at 2010-01-23 03:01:13 UTC for 0s
- --
| daap-get-library:  
|_  Libname: Andy Shih\xE2\x80\x99s Music
Final times for host: srtt: 428 rttvar: 5000  to: 50000


And as I'm sure you can imagine, a few hosts returned more results than
I care to reproduce here...

I'm somewhat surprised nobody has made a compatible client for iTunes >
7.0 yet.  Even a moderately talented reverse engineer with a lot of
free time on their hands should be able to extract the appropriate
certificates, etc.

My proposed (untested) patch is:

- --- daap-get-library.nse      2010-01-18 19:59:51.000000000 +0000
+++ daap-get-library.nse.new    2010-01-23 03:12:51.000000000 +0000
@@ -46,9 +46,17 @@
        if response == nil then
                return
        end
+
+       if response.body == nil then
+               return
+       end
                
        pos = string.find(response.body, "minm")
 
+       if pos == nil then
+               return
+       end
+
        if pos > 0 then
                pos = pos + 4
                pos, len = bin.unpack( ">I", response.body, pos )


Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAktaaXAACgkQqaGPzAsl94JxZwCdGguscMVqMGa+xS+7yxQHS1aD
jaUAnRmzXYqNN7c6Ex5cRylXAAOJNb3R
=Nd2d
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

DAAP script Patrik Karlsson (Jan 18)
- Re: DAAP script David Fifield (Jan 22)
  - Re: DAAP script Patrik Karlsson (Jan 23)
    - Re: DAAP script David Fifield (Jan 25)
- Re: DAAP script Brandon Enright (Jan 22)
  - Re: DAAP script Patrik Karlsson (Jan 23)
    - Re: DAAP script Brandon Enright (Jan 23)