Re: backorifice-brute NSE script

[Gorjan Petrovski <mogi57 () gmail com>]

On Tue, May 3, 2011 at 4:13 AM, David Fifield <david () bamsoftware com> wrote:
> On Mon, May 02, 2011 at 09:40:57PM -0400, Patrick Donnelly wrote:
> > On Mon, May 2, 2011 at 6:32 PM, Gorjan Petrovski <mogi57 () gmail com> wrote:
> > > Hello,
> > >
> > > I've been somewhat busy this weekend, and the result is a
> > > backorifice-brute script that utilizes the brute library to guess
> > > passwords against the BackOrifice service. The backorifice class
> > > contains the basic functions for encryption and a try_password
> > > function which sends an encrypted PING packet to the service and
> > > checks whether the response is correct. This script is nearly
> > > finished, since some things are still unclear to me:
> > >
> > > The service itself can be configured to work on any port, and the only
> > > way to verify that a BackOrifice service is running is to send an
> > > encrypted PING packet using the correct password. What kind of a rule
> > > should this script be initiated by?
> > > Currently it's a shortport.port_or_service(31337, "BackOrifice",
> > > "udp") , which obviously can't be run against any port. Nmap
> > > recognizes a BackOrifice service only for an open|filtered 31337 port,
> > > and the probe uses a PING packet encrypted with the default seed.
> > > I liked Toni Ruottu's suggestion where the backorifice-brute script
> > > updates the version info for the BackOrifice service, so then
> > > backorifice-info can be automatically initiated once a password has
> > > been found.
> >
> > Would a backorifice-version script make sense (a script
> > backorifice-brute would depend on)? Do you have to have the correct
> > pwd/seed to determine if it is the BackOrifice service?
> >
> > > Should a brute script update version info?
> >
> > Probably not. I think backorifice-version would be more appropriate if possible.
> >
> > > Which socket timeout is best for this kind of script?  (I put 3000 ms)
> >
> > Is the default (30 seconds I believe) not suitable?
>
> This is hard because the service is silent until the password is
> guessed. Gorjan, you can get a reasonable measured timeout estimate from
> the host.times table. See ipidseq.nse for an example.
I'll look into it.

> > > The example script output looks like this:
> > >
> > > 31337/udp open|filtered BackOrifice
> > > | backorifice-brute.nse:
> > > |   Accounts
> > > |     michael => Login correct
> > > |   Statistics
> > > |_    Performed 10 guesses in 4 seconds, average tps: 2
> >
> > This looks good. I like the script. Does anyone else have any comments on it?
>
> The found password is saved in nmap.registry.backorificepassword; what
> happens if the script is run against two hosts at once?
Indeed, it erases the password of the first host. I'll fix this in the
new version along with the results of the above query. I'll put the
passwords in a table under nmap.registry.credentials.backorifice like
I saw in Patrik Karlsson's http script. Ok?

Cheers,
Gorjan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/