description = [[
Performs brute force password auditing against the BackOrifice service. The
backorifice-brute.ports
script argument is mandatory (it specifies ports to run
the script against).
]]
---
-- @usage
-- nmap -sU --script backorifice-brute --script-args backorifice-brute.ports=
--
-- @arg backorifice-brute.ports (mandatory) List of UDP ports to run the script against separated with "," ex. "U:31337,25252,151-222", "U:1024-1512"
--
-- This script uses the brute library to perform password guessing. A
-- successful password guess is stored in the nmap registry, under the
-- nmap.registry.credentials.backorifice
table for other BackOrifice
-- scripts to use.
--
-- @output
-- PORT STATE SERVICE
-- 31337/udp open BackOrifice
-- | backorifice-brute:
-- | Accounts:
-- | michael => Login correct
-- | Statistics
-- |_ Perfomed 60023 guesses in 467 seconds, average tps: 138
--
-- Summary
-- -------
-- x The Driver class contains the driver implementation used by the brute
-- library
-- x The backorifice class contains the backorifice client implementation
--
author = "Gorjan Petrovski"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"intrusive", "auth"}
require("nmap")
require("bin")
require("bit")
require("shortport")
require("brute")
require("stdnse")
-- This portrule succeeds only when the open|filtered port is in the port range
-- which is specified by the ports script argument
portrule = function(host, port)
local ports = stdnse.get_script_args(SCRIPT_NAME .. ".ports")
--print out a debug message if port 31337/udp is open
if port.number==31337 and port.protocol == "udp" and not(ports) then
stdnse.print_debug("%s","Port 31337/udp is open. Possibility of version detection and password bruteforcing using the backorifice-brute script")
return false
end
return port.protocol == "udp" and stdnse.in_port_range(port, ports:gsub(",",",") ) and
not(shortport.port_is_excluded(port.number,port.protocol))
end
local backorifice =
{
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
return o
end,
--- Initializes the backorifice object
--
initialize = function(self)
--create socket
self.socket = nmap.new_socket("udp")
self.socket:set_timeout(self.host.times.timeout * 1000)
return true
end,
--- Attempts to send an encrypted PING packet to BackOrifice service
--
-- @param password string containing password for encryption
-- @param initial_seed number containing initial encryption seed
-- @return status, true on success, false on failure
-- @return err string containing error message on failure
try_password = function(self, password, initial_seed)
--initialize BackOrifice PING packet: |MAGICSTRING|size|packetID|TYPE_PING|arg1|arg_separat|arg2|CRC/disregarded|
local PING_PACKET = bin.pack("A