111 lines
2.9 KiB
Lua
111 lines
2.9 KiB
Lua
local brute = require "brute"
|
|
local shortport = require "shortport"
|
|
local stdnse = require "stdnse"
|
|
local string = require "string"
|
|
local http = require "http"
|
|
local creds = require "creds"
|
|
|
|
description = [[
|
|
Performs brute force username and password auditing against
|
|
Metasploit msgrpc interface.
|
|
|
|
]]
|
|
|
|
---
|
|
-- @usage
|
|
-- nmap --script metasploit-msgrpc-brute -p 55553 <host>
|
|
--
|
|
-- This script uses brute library to perform password
|
|
-- guessing against Metasploit's msgrpc interface.
|
|
--
|
|
--
|
|
-- @output
|
|
-- PORT STATE SERVICE REASON
|
|
-- 55553/tcp open unknown syn-ack
|
|
-- | metasploit-msgrpc-brute:
|
|
-- | Accounts
|
|
-- | root:root - Valid credentials
|
|
-- | Statistics
|
|
-- |_ Performed 10 guesses in 10 seconds, average tps: 1
|
|
|
|
|
|
|
|
author = "Aleksandar Nikolic"
|
|
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
|
|
categories = {"intrusive", "brute"}
|
|
|
|
portrule = shortport.port_or_service(55553,"metasploit-msgrpc")
|
|
|
|
|
|
-- returns a "prefix" that msgpack uses for strings
|
|
local get_prefix = function(data)
|
|
if #data <= 31 then
|
|
return string.pack("B", 0xa0 + #data)
|
|
else
|
|
return "\xda" .. string.pack(">I2", #data)
|
|
end
|
|
end
|
|
|
|
-- simple function that implements basic msgpack encoding we need for this script
|
|
-- see http://wiki.msgpack.org/display/MSGPACK/Format+specification for more
|
|
local encode = function(username, password)
|
|
return "\x93\xaaauth.login" .. get_prefix(username) .. username .. get_prefix(password) .. password
|
|
end
|
|
|
|
Driver = {
|
|
|
|
new = function(self, host, port)
|
|
local o = {}
|
|
setmetatable(o, self)
|
|
self.__index = self
|
|
o.host = host
|
|
o.port = port
|
|
return o
|
|
end,
|
|
|
|
-- as we are using http methods, no need for connect and disconnect
|
|
-- this might cause a problem as in other scripts that don't have explicit connect
|
|
-- as there is no way to "reserve" a socket
|
|
connect = function( self )
|
|
return true
|
|
end,
|
|
|
|
login = function (self, user, pass)
|
|
local data
|
|
local options = {
|
|
header = {
|
|
["Content-Type"] = "binary/message-pack"
|
|
}
|
|
}
|
|
stdnse.debug1( "Trying %s/%s ...", user, pass )
|
|
data = http.post(self.host,self.port, "/api/",options, nil , encode(user,pass))
|
|
if data and data.status and tostring( data.status ):match( "200" ) then
|
|
if string.find(data.body,"success") then
|
|
return true, creds.Account:new( user, pass, creds.State.VALID)
|
|
else
|
|
return false, brute.Error:new( "Incorrect username or password" )
|
|
end
|
|
end
|
|
local err = brute.Error:new("Login didn't return a proper response")
|
|
err:setRetry( true )
|
|
return false, err
|
|
end,
|
|
|
|
disconnect = function( self )
|
|
return true
|
|
end
|
|
}
|
|
|
|
action = function( host, port )
|
|
|
|
local status, result
|
|
local engine = brute.Engine:new(Driver, host, port)
|
|
engine.options.script_name = SCRIPT_NAME
|
|
engine.options.firstonly = true
|
|
engine.max_threads = 3
|
|
engine.max_retries = 10
|
|
status, result = engine:start()
|
|
|
|
return result
|
|
end
|