[NSE] Idea: Radmin brute force password script

[Pavel Zhovner <pavel () zhovner com>]

Hello, folks. I have a proposal.

Radmin — remote control service for Windows. The same as microsft RDP
but with remote access to file system, command interpreter and more.
Unlike RDP, connection to Radmin is sneaky. It means all features
(desktop sharing, file sharing, cmd.exe) not visible for user.

It will be great to have script for guessing password. Difficult is
that Radmin protocol is proprietary and there is no open protocol
specification, but it alredy successfully reverse-engineered. It use
Twofish cipher for connection encryption and radmin version 3.x use
SRP (RFC 2945) for authentication.

 In attachment radmin ver. 2.x, 3.x authentication module written in C
taken from opensource windows tool Lamescan. I try to translate
comments in code from russian. I'm also attach Lamescan sources.

If someone interested of this, I can give the playground with all
versions radmin and contact with guy who worked on
reverse-engineering.

Attachment: radmin.c
Description:

Attachment: radmin.h
Description:

Attachment: lamescan3_src.tar.gz
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/