Nmap Development mailing list archives
Re: DAAP script
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 23 Jan 2010 03:13:42 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 18 Jan 2010 22:20:22 +0100 Patrik Karlsson <patrik () cqure net> wrote:
I have created a DAAP script called daap-get-library. It attempts to enumerate the library name, artists, albums and songs from a DAAP server. Unfortunately it doesn't work with Apples iTunes post 7.0 due to DAAP authentication [1], but I've successfully tested it against the Firefly Media Server. For sample output have a look here: http://www.cqure.net/wp/2010/01/daap-script-for-nmap/ To download the script go here: http://www.cqure.net/wp/nmap-scripts/ [1] http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol //Patrik -- Patrik Karlsson http://www.cqure.net
Hi Patrik, I suspect when you mean it doesn't work against iTunes post 7.0 is that it returns: NSE: 'daap-get-library' (thread: 0x2879220) against a.b.3.218:3689 threw an \ error! ./scripts/daap-get-library.nse:52: attempt to compare number with nil stack traceback: ./scripts/daap-get-library.nse:52: in function 'getLibraryName' ./scripts/daap-get-library.nse:255: in function <./scripts/daap-get-lib\ rary.nse:253> (tail call): ? I had ~500 hosts with the above error. I looked at the code, it seems just checking if the response is nil isn't enough. You'll need to make sure string.find() also doesn't return nil (and probably response.body ~= nil too). Fortunately I also had a handful of hosts with actual results. A few just printed very limited results: Scanned at 2010-01-23 02:55:53 UTC for 0s PORT STATE SERVICE REASON 3689/tcp open rendezvous syn-ack | daap-get-library: |_ Libname: Larry Sellers Final times for host: srtt: 2730 rttvar: 5000 to: 50000 Or: Scanned at 2010-01-23 03:01:13 UTC for 0s - -- | daap-get-library: |_ Libname: Andy Shih\xE2\x80\x99s Music Final times for host: srtt: 428 rttvar: 5000 to: 50000 And as I'm sure you can imagine, a few hosts returned more results than I care to reproduce here... I'm somewhat surprised nobody has made a compatible client for iTunes > 7.0 yet. Even a moderately talented reverse engineer with a lot of free time on their hands should be able to extract the appropriate certificates, etc. My proposed (untested) patch is: - --- daap-get-library.nse 2010-01-18 19:59:51.000000000 +0000 +++ daap-get-library.nse.new 2010-01-23 03:12:51.000000000 +0000 @@ -46,9 +46,17 @@ if response == nil then return end + + if response.body == nil then + return + end pos = string.find(response.body, "minm") + if pos == nil then + return + end + if pos > 0 then pos = pos + 4 pos, len = bin.unpack( ">I", response.body, pos ) Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAktaaXAACgkQqaGPzAsl94JxZwCdGguscMVqMGa+xS+7yxQHS1aD jaUAnRmzXYqNN7c6Ex5cRylXAAOJNb3R =Nd2d -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- DAAP script Patrik Karlsson (Jan 18)
- Re: DAAP script David Fifield (Jan 22)
- Re: DAAP script Patrik Karlsson (Jan 23)
- Re: DAAP script David Fifield (Jan 25)
- Re: DAAP script Patrik Karlsson (Jan 23)
- Re: DAAP script Brandon Enright (Jan 22)
- Re: DAAP script Patrik Karlsson (Jan 23)
- Re: DAAP script Brandon Enright (Jan 23)
- Re: DAAP script Patrik Karlsson (Jan 23)
- Re: DAAP script David Fifield (Jan 22)