Re: backorifice-brute NSE script

[Patrick Donnelly <batrick () batbytes com>]

On Mon, May 2, 2011 at 6:32 PM, Gorjan Petrovski <mogi57 () gmail com> wrote:
> Hello,
>
> I've been somewhat busy this weekend, and the result is a
> backorifice-brute script that utilizes the brute library to guess
> passwords against the BackOrifice service. The backorifice class
> contains the basic functions for encryption and a try_password
> function which sends an encrypted PING packet to the service and
> checks whether the response is correct. This script is nearly
> finished, since some things are still unclear to me:
>
> The service itself can be configured to work on any port, and the only
> way to verify that a BackOrifice service is running is to send an
> encrypted PING packet using the correct password. What kind of a rule
> should this script be initiated by?
> Currently it's a shortport.port_or_service(31337, "BackOrifice",
> "udp") , which obviously can't be run against any port. Nmap
> recognizes a BackOrifice service only for an open|filtered 31337 port,
> and the probe uses a PING packet encrypted with the default seed.
> I liked Toni Ruottu's suggestion where the backorifice-brute script
> updates the version info for the BackOrifice service, so then
> backorifice-info can be automatically initiated once a password has
> been found.

Would a backorifice-version script make sense (a script
backorifice-brute would depend on)? Do you have to have the correct
pwd/seed to determine if it is the BackOrifice service?

> Should a brute script update version info?

Probably not. I think backorifice-version would be more appropriate if possible.

> Which socket timeout is best for this kind of script?  (I put 3000 ms)

Is the default (30 seconds I believe) not suitable?

> Why shouldn't I put 50 or 100 bruteforcing threads?

The NSE engine only allows 20 concurrent connections at a time. You
can't do better than 20 unless you increase this limit using
--max-parallelism. Isn't there a brute library option to increase the
number of threads?

> Should I post works-in-progress like this to nmap-dev, or only to my mentor?

It's encouraged to bring as much of the discussion as possible (or
desired) to nmap-dev so everyone has the opportunity to learn/to give
input.

> The example script output looks like this:
>
> 31337/udp open|filtered BackOrifice
> | backorifice-brute.nse:
> |   Accounts
> |     michael => Login correct
> |   Statistics
> |_    Performed 10 guesses in 4 seconds, average tps: 2

This looks good. I like the script. Does anyone else have any comments on it?

-- 
- Patrick Donnelly
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/