Nmap Development mailing list archives
Re: Some scripts for analyzing NetBus
From: David Fifield <david () bamsoftware com>
Date: Mon, 13 Dec 2010 10:21:51 -0800
On Fri, Dec 03, 2010 at 08:37:47PM +0200, Toni Ruottu wrote:
On Thu, Dec 2, 2010 at 10:37 AM, Toni Ruottu <toni.ruottu () iki fi> wrote:hello, Just finished writing a set of scripts that analyse NetBus-services (see attachments). I have defined total ordering for execution through dependencies, as the scripts interfere with each other. Namely, sending broken authentication credentials prevent access from everyone, and not only the failing client. The scripts do not cover NetBus2 as it seems quite different from the earlier versions, also I could not find really old versions of NetBus for testing. I have done some tests with NetBus versions 1.6 and 1.7, as well as NetBuster version 1.31. The scripts should work with the current nmap cvs, but do not work with latest release. The included scripts are (in order of execution): netbus-version - detects NetBuster, a honeypot service that mimes NetBus netbus-brute - tries to retrieve NetBus password by guessing netbus-info - opens a connection to a NetBus server and extracts information netbus-auth-bypass - checks if a NetBus server is vulnerable to authentication bypass
Thanks. These scripts are really well written and I have committed them. A few changes to make: The scripts store a password in nmap.registry.netbuspassword. This won't work if more than host with different passwords is scanned at the same time. You should make this indexed by IP address and port number. If there's no password set on the server, the output of netbus-brute is: |_netbus-brute: There should be some message to make clear that it's an empty or blank password. Similarly netbus-auth-bypass fails to report if it was able to connect with a blank password: socket:send("Password;1;\r") --password: empty if buffer() ~= "Access;1" then return end socket:send("Password;1; \r") --password: space if buffer() == "Access;1" then return "Vulnerable" end There should be an "else" on that second "if" that says, "Not vulnerable, but password is blank."
I realized not everyone have a NetBus setup up and running, so I decided to provide some links to NetBus packages available on the Internet. The below links are for NetBus 1.6 and 1.7. There is also a link for honeypot application NetBuster. I used these packages in my tests and they seemed to work well. The NetBus packages contain both a client and a server. The server is usually called patch.exe. Additionally they may contain a tool for editing the server. The NetBuster package contains a server with graphical configuration user interface. http://members.fortunecity.com/cambada/nb16.zip http://personal.inet.fi/koti/jaakko.linna/NetBus170.zip http://personal.inet.fi/koti/jaakko.linna/netbuster1_31.zip NetBus and NetBuster are Windows applications. I run the apps on Ubuntu using Wine and they worked surprisingly well. Just make sure you always reset the environment properly between running two different versions (kill all processes, wait for port bind to time out, and possibly delete wine configuration). Note that NetBus is hackish and might have hidden tricks. You might want to run the services under a virtual machine rather than on a system you use daily. In any case the NetBus services are not very secure, and someone could hack into your box through the service unless you are behind a firewall.
Wow, I tried running NetBus170 on a Fedora VM under WINE, and your right. The "Screendump" button even gets a copy of the whole GNOME desktop. One of the scripts messed up the server (which you warned about) so that every button brings up a dialog reading "Sorry, host is password protected." I think this was netbus-auth-bypass. I moved the script into the "intrusive" category because of this. Can you explain what circumstances cause the server to be locked out so it can be documented? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Some scripts for analyzing NetBus Toni Ruottu (Dec 02)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Dec 03)
- Re: Some scripts for analyzing NetBus Max (Dec 03)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Dec 08)
- Re: Some scripts for analyzing NetBus Ron (Dec 08)
- Re: Some scripts for analyzing NetBus Patrick Donnelly (Dec 08)
- Re: Some scripts for analyzing NetBus Rob Nicholls (Dec 08)
- Re: Some scripts for analyzing NetBus Arturo 'Buanzo' Busleiman (Dec 08)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Dec 03)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Dec 13)
- Re: Some scripts for analyzing NetBus David Fifield (Dec 14)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Dec 30)
- Re: Some scripts for analyzing NetBus David Fifield (Dec 30)