description = [[ Determines whether the encryption option is supported on a remote telnet server. Some systems (including FreeBSD and the krb5 telnetd available in many Linux distributions) implement this option incorrectly, leading to a remote root vulnerability. This script currently only tests whether encryption is supported, not for that particular vulnerability. References: * FreeBSD Advisory: * FreeBSD Exploit: * RedHat Enterprise Linux Advisory: ]] --- -- @usage -- nmap -p 23 --script telnet-encryption -- -- @output -- PORT STATE SERVICE REASON -- 23/tcp open telnet syn-ack -- | telnet-encryption: -- |_ Telnet server supports encryption -- -- categories = {"safe", "discovery"} require 'shortport' portrule = shortport.port_or_service(23, 'telnet') author = "Patrik Karlsson, David Fifield, Fyodor" license = "Same as Nmap--See" local COMMAND = { SubCommand = 0xFA, Will = 0xFB, Do = 0xFD, Dont = 0xFE, Wont = 0xFC, } local function processOptions(data) local pos = 1 local result = {} while ( pos < #data ) do local iac, cmd, option pos, iac, cmd = bin.unpack("CC", data, pos) if ( 0xFF ~= iac ) then break end if ( COMMAND.SubCommand == cmd ) then repeat pos, iac = bin.unpack("C", data, pos) until( pos == #data or 0xFF == iac ) pos, cmd = bin.unpack("C", data, pos) if ( not(cmd) == 0xF0 ) then return false, "Failed to parse options" end else pos, option = bin.unpack("H", data, pos) result[option] = result[option] or {} table.insert(result[option], cmd) end end return true, { done=( not(#data == pos - 1) ), cmds = result } end action = function(host, port) local socket = nmap.new_socket() local status = socket:connect(host, port) local data = bin.pack("H", "FFFD26FFFB26") local result socket:set_timeout(7500) status, result = socket:send(data) if ( not(status) ) then return ("\n ERROR: Failed to send packet: %s"):format(result) end repeat status, data = socket:receive() if ( not(status) ) then return ("\n ERROR: Receiving packet: %s"):format(data) end status, result = processOptions(data) if ( not(status) ) then return "\n ERROR: Failed to process telnet options" end until( result.done or result.cmds['26'] ) for _, cmd in ipairs(result.cmds['26'] or {}) do if ( COMMAND.Will == cmd or COMMAND.Do == cmd ) then return "\n Telnet server supports encryption" end end return "\n Telnet server does not support encryption" end