Nmap Development mailing list archives
Re: DAAP script
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 23 Jan 2010 10:20:52 +0000
Sorry to respond from my phone. The 500 hosts that errored were all student machines. I didn't get a single valid result from any student machine. I'll watch a pcap to see what's going on with these machines.
Brandon Sent from my iPhone On Jan 23, 2010, at 10:11, Patrik Karlsson <patrik () cqure net> wrote:
On 23 jan 2010, at 04.13, Brandon Enright wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 18 Jan 2010 22:20:22 +0100 Patrik Karlsson <patrik () cqure net> wrote:I have created a DAAP script called daap-get-library. It attempts to enumerate the library name, artists, albums and songs from a DAAPserver. Unfortunately it doesn't work with Apples iTunes post 7.0 dueto DAAP authentication [1], but I've successfully tested it against the Firefly Media Server. For sample output have a look here: http://www.cqure.net/wp/2010/01/daap-script-for-nmap/ To download the script go here: http://www.cqure.net/wp/nmap-scripts/ [1] http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol //Patrik -- Patrik Karlsson http://www.cqure.netHi Patrik,I suspect when you mean it doesn't work against iTunes post 7.0 is thatit returns:NSE: 'daap-get-library' (thread: 0x2879220) against a.b.3.218:3689 threw an \error! ./scripts/daap-get-library.nse:52: attempt to compare number with nil stack traceback: ./scripts/daap-get-library.nse:52: in function 'getLibraryName'./scripts/daap-get-library.nse:255: in function <./scripts/ daap-get-lib\rary.nse:253> (tail call): ?I had ~500 hosts with the above error. I looked at the code, it seems just checking if the response is nil isn't enough. You'll need to make sure string.find() also doesn't return nil (and probably response.body~= nil too).No, that's probably hosts having 3689 open but not responding to the request. At least that's what I get when I set up a netcat listener or that port that simply closes.These are most likely all post 7.0 hosts. Here we can get the library name, but to get the library items we need to get past authentication.Fortunately I also had a handful of hosts with actual results. A few just printed very limited results: Scanned at 2010-01-23 02:55:53 UTC for 0s PORT STATE SERVICE REASON 3689/tcp open rendezvous syn-ack | daap-get-library: |_ Libname: Larry Sellers Final times for host: srtt: 2730 rttvar: 5000 to: 50000 Or: Scanned at 2010-01-23 03:01:13 UTC for 0s - -- | daap-get-library: |_ Libname: Andy Shih\xE2\x80\x99s Music Final times for host: srtt: 428 rttvar: 5000 to: 50000Hmm, yes, not very clever of me to not have foreseen this. I have capped the output to 100 songs or to a value set through the daap_item_limit script argument. Any value below zero will force it do output everything.And as I'm sure you can imagine, a few hosts returned more results thanI care to reproduce here...I'm somewhat surprised nobody has made a compatible client for iTunes >Me to, my initial, very limited googling turned up a few tools that would do DAAP but not support iTunes post 7.0.7.0 yet.Even a moderately talented reverse engineer with a lot of free time on their hands should be able to extract the appropriate certificates, etc.If you know one, willing to do it, please let me know! :)My proposed (untested) patch is: - --- daap-get-library.nse 2010-01-18 19:59:51.000000000 +0000 +++ daap-get-library.nse.new 2010-01-23 03:12:51.000000000 +0000 @@ -46,9 +46,17 @@ if response == nil then return end + + if response.body == nil then + return + end pos = string.find(response.body, "minm") + if pos == nil then + return + end + if pos > 0 then pos = pos + 4 pos, len = bin.unpack( ">I", response.body, pos )Thanks a lot for testing it's VERY much appreciated!I've implemented a similar patch and I've uploaded a new version of the script to my blog.Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAktaaXAACgkQqaGPzAsl94JxZwCdGguscMVqMGa+xS+7yxQHS1aD jaUAnRmzXYqNN7c6Ex5cRylXAAOJNb3R =Nd2d -----END PGP SIGNATURE------- Patrik Karlsson http://www.cqure.net
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- DAAP script Patrik Karlsson (Jan 18)
- Re: DAAP script David Fifield (Jan 22)
- Re: DAAP script Patrik Karlsson (Jan 23)
- Re: DAAP script David Fifield (Jan 25)
- Re: DAAP script Patrik Karlsson (Jan 23)
- Re: DAAP script Brandon Enright (Jan 22)
- Re: DAAP script Patrik Karlsson (Jan 23)
- Re: DAAP script Brandon Enright (Jan 23)
- Re: DAAP script Patrik Karlsson (Jan 23)
- Re: DAAP script David Fifield (Jan 22)