description = [[ Performs brute force password auditing against the BackOrifice service. The backorifice-brute.ports script argument is mandatory (it specifies ports to run the script against). ]] --- -- @usage -- nmap -sU --script backorifice-brute --script-args backorifice-brute.ports= -- -- @arg backorifice-brute.ports (mandatory) List of UDP ports to run the script against separated with "," ex. "U:31337,25252,151-222", "U:1024-1512" -- -- This script uses the brute library to perform password guessing. A -- successful password guess is stored in the nmap registry, under the -- nmap.registry.credentials.backorifice table for other BackOrifice -- scripts to use. -- -- @output -- PORT STATE SERVICE -- 31337/udp open BackOrifice -- | backorifice-brute: -- | Accounts: -- | michael => Login correct -- | Statistics -- |_ Perfomed 60023 guesses in 467 seconds, average tps: 138 -- -- Summary -- ------- -- x The Driver class contains the driver implementation used by the brute -- library -- x The backorifice class contains the backorifice client implementation -- author = "Gorjan Petrovski" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"intrusive", "auth"} require("nmap") require("bin") require("bit") require("shortport") require("brute") require("stdnse") require("creds") -- This portrule succeeds only when the open|filtered port is in the port range -- which is specified by the ports script argument portrule = function(host, port) local ports = stdnse.get_script_args(SCRIPT_NAME .. ".ports") --print out a debug message if port 31337/udp is open if port.number==31337 and port.protocol == "udp" and not(ports) then stdnse.print_debug("Port 31337/udp is open. Possibility of version detection and password bruteforcing using the backorifice-brute script") return false end return port.protocol == "udp" and stdnse.in_port_range(port, ports:gsub(",",",") ) and not(shortport.port_is_excluded(port.number,port.protocol)) end local backorifice = { new = function(self, host, port) local o = {} setmetatable(o, self) self.__index = self o.host = host o.port = port return o end, --- Initializes the backorifice object -- initialize = function(self) --create socket self.socket = nmap.new_socket("udp") self.socket:set_timeout(self.host.times.timeout * 1000) return true end, --- Attempts to send an encrypted PING packet to BackOrifice service -- -- @param password string containing password for encryption -- @param initial_seed number containing initial encryption seed -- @return status, true on success, false on failure -- @return err string containing error message on failure try_password = function(self, password, initial_seed) --initialize BackOrifice PING packet: |MAGICSTRING|size|packetID|TYPE_PING|arg1|arg_separat|arg2|CRC/disregarded| local PING_PACKET = bin.pack("A