local bits = require "bits" local brute = require "brute" local creds = require "creds" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local table = require "table" description = [[ Performs brute force password auditing against the BackOrifice service. The backorifice-brute.ports script argument is mandatory (it specifies ports to run the script against). ]] --- -- @usage -- nmap -sU --script backorifice-brute --script-args backorifice-brute.ports= -- -- @arg backorifice-brute.ports (mandatory) List of UDP ports to run the script against separated with "," ex. "U:31337,25252,151-222", "U:1024-1512" -- -- This script uses the brute library to perform password guessing. A -- successful password guess is stored in the nmap registry, under the -- nmap.registry.credentials.backorifice table for other BackOrifice -- scripts to use. -- -- @output -- PORT STATE SERVICE -- 31337/udp open BackOrifice -- | backorifice-brute: -- | Accounts: -- | michael => Valid credentials -- | Statistics -- |_ Perfomed 60023 guesses in 467 seconds, average tps: 138 -- -- Summary -- ------- -- x The Driver class contains the driver implementation used by the brute -- library -- x The backorifice class contains the backorifice client implementation -- author = "Gorjan Petrovski" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"intrusive", "brute"} -- This portrule succeeds only when the open|filtered port is in the port range -- which is specified by the ports script argument portrule = function(host, port) local ports = stdnse.get_script_args(SCRIPT_NAME .. ".ports") if not ports then stdnse.verbose1("Skipping '%s' %s, 'ports' argument is missing.",SCRIPT_NAME, SCRIPT_TYPE) return false end -- ensure UDP ports = ports:gsub("^[U:]*", "U:") return port.protocol == "udp" and shortport.port_range(ports)(host, port) and not(shortport.port_is_excluded(port.number,port.protocol)) end local MAGICSTRING ="*!*QWTY?" local backorifice = { new = function(self, host, port) local o = {} setmetatable(o, self) self.__index = self o.host = host o.port = port return o end, --- Initializes the backorifice object -- initialize = function(self) --create socket self.socket = nmap.new_socket("udp") self.socket:set_timeout(self.host.times.timeout * 1000) return true end, --- Attempts to send an encrypted PING packet to BackOrifice service -- -- @param password string containing password for encryption -- @param initial_seed number containing initial encryption seed -- @return status, true on success, false on failure -- @return err string containing error message on failure try_password = function(self, password, initial_seed) --initialize BackOrifice PING packet: |MAGICSTRING|size|packetID|TYPE_PING|arg1|arg_separat|arg2|CRC/disregarded| local PING_PACKET = MAGICSTRING .. string.pack("