Re: DAAP script

[Brandon Enright <bmenrigh () ucsd edu>]

Sorry to respond from my phone.  The 500 hosts that errored were all  
student machines.  I didn't get a single valid result from any student  
machine.  I'll watch a pcap to see what's going on with these machines.

Brandon

Sent from my iPhone

On Jan 23, 2010, at 10:11, Patrik Karlsson <patrik () cqure net> wrote:

> On 23 jan 2010, at 04.13, Brandon Enright wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Mon, 18 Jan 2010 22:20:22 +0100
> > Patrik Karlsson <patrik () cqure net> wrote:
> >
> > > I have created a DAAP script called daap-get-library. It attempts to
> > > enumerate the library name, artists, albums and songs from a DAAP
> > > server. Unfortunately it doesn't work with Apples iTunes post 7.0  
> > > due
> > > to DAAP authentication [1], but I've successfully tested it against
> > > the Firefly Media Server.
> > >
> > > For sample output have a look here:
> > > http://www.cqure.net/wp/2010/01/daap-script-for-nmap/
> > >
> > > To download the script go here:
> > > http://www.cqure.net/wp/nmap-scripts/
> > >
> > > [1] http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol
> > >
> > > //Patrik
> > >
> > > --
> > > Patrik Karlsson
> > > http://www.cqure.net
> >
> >
> > Hi Patrik,
> >
> > I suspect when you mean it doesn't work against iTunes post 7.0 is  
> > that
> > it returns:
> >
> > NSE: 'daap-get-library' (thread: 0x2879220) against a.b.3.218:3689  
> > threw an \
> > error!
> > ./scripts/daap-get-library.nse:52: attempt to compare number with nil
> > stack traceback:
> >       ./scripts/daap-get-library.nse:52: in function 'getLibraryName'
> >       ./scripts/daap-get-library.nse:255: in function <./scripts/ 
> > daap-get-lib\
> > rary.nse:253>
> >       (tail call): ?
> >
> >
> > I had ~500 hosts with the above error.  I looked at the code, it  
> > seems
> > just checking if the response is nil isn't enough.  You'll need to  
> > make
> > sure string.find() also doesn't return nil (and probably  
> > response.body
> > ~= nil too).
>
> No, that's probably hosts having 3689 open but not responding to the  
> request.
> At least that's what I get when I set up a netcat listener or that  
> port that simply closes.
>
> > Fortunately I also had a handful of hosts with actual results.  A few
> > just printed very limited results:
> >
> > Scanned at 2010-01-23 02:55:53 UTC for 0s
> > PORT     STATE SERVICE    REASON
> > 3689/tcp open  rendezvous syn-ack
> > | daap-get-library:
> > |_  Libname: Larry Sellers
> > Final times for host: srtt: 2730 rttvar: 5000  to: 50000
> >
> > Or:
> >
> > Scanned at 2010-01-23 03:01:13 UTC for 0s
> > - --
> > | daap-get-library:
> > |_  Libname: Andy Shih\xE2\x80\x99s Music
> > Final times for host: srtt: 428 rttvar: 5000  to: 50000
> These are most likely all post 7.0 hosts. Here we can get the  
> library name, but to get the library items we need to get past  
> authentication.
> > And as I'm sure you can imagine, a few hosts returned more results  
> > than
> > I care to reproduce here...
> Hmm, yes, not very clever of me to not have foreseen this. I have  
> capped the output to 100 songs or to a value set through the  
> daap_item_limit script argument. Any value below zero will force it  
> do output everything.
>
> > I'm somewhat surprised nobody has made a compatible client for  
> > iTunes >
> > 7.0 yet.
> Me to, my initial, very limited googling turned up a few tools that  
> would do DAAP but not support iTunes post 7.0.
>
> > Even a moderately talented reverse engineer with a lot of
> > free time on their hands should be able to extract the appropriate
> > certificates, etc.
> If you know one, willing to do it, please let me know! :)
>
> > My proposed (untested) patch is:
> >
> > - --- daap-get-library.nse    2010-01-18 19:59:51.000000000 +0000
> > +++ daap-get-library.nse.new    2010-01-23 03:12:51.000000000 +0000
> > @@ -46,9 +46,17 @@
> >    if response == nil then
> >        return
> >    end
> > +
> > +    if response.body == nil then
> > +        return
> > +    end
> >
> >    pos = string.find(response.body, "minm")
> >
> > +    if pos == nil then
> > +        return
> > +    end
> > +
> >    if pos > 0 then
> >        pos = pos + 4
> >        pos, len = bin.unpack( ">I", response.body, pos )
>
> Thanks a lot for testing it's VERY much appreciated!
> I've implemented a similar patch and I've uploaded a new version of  
> the script to my blog.
>
> > Brandon
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.11 (GNU/Linux)
> >
> > iEYEARECAAYFAktaaXAACgkQqaGPzAsl94JxZwCdGguscMVqMGa+xS+7yxQHS1aD
> > jaUAnRmzXYqNN7c6Ex5cRylXAAOJNb3R
> > =Nd2d
> > -----END PGP SIGNATURE-----
>
> --
> Patrik Karlsson
> http://www.cqure.net
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/