|
Server : Apache/2.4.18 (Ubuntu) System : Linux canvaswebdesign 3.13.0-71-generic #114-Ubuntu SMP Tue Dec 1 02:34:22 UTC 2015 x86_64 User : oppastar ( 1041) PHP Version : 7.0.33-0ubuntu0.16.04.15 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, Directory : /usr/share/nmap/scripts/ |
Upload File : |
local base64 = require "base64"
local brute = require "brute"
local creds = require "creds"
local nmap = require "nmap"
local shortport = require "shortport"
description = [[
Performs brute force password auditing against an iPhoto Library.
]]
---
-- @usage
-- nmap --script dpap-brute -p 8770 <host>
--
-- @output
-- 8770/tcp open apple-iphoto syn-ack
-- | dpap-brute:
-- | Accounts
-- | secret => Login correct
-- | Statistics
-- |_ Perfomed 5007 guesses in 6 seconds, average tps: 834
--
--
-- Version 0.1
-- Created 24/01/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
--
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}
portrule = shortport.port_or_service(8770, "apple-iphoto")
Driver = {
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
return o
end,
connect = function( self )
self.socket = nmap.new_socket()
self.socket:set_timeout(5000)
return self.socket:connect(self.host, self.port, "tcp")
end,
login = function( self, username, password )
local data = "GET dpap://%s:%d/login HTTP/1.1\r\n" ..
"User-Agent: iPhoto/9.1.1 (Macintosh; N; PPC)\r\n" ..
"Host: %s\r\n" ..
"Authorization: Basic %s\r\n" ..
"Client-DPAP-Version: 1.1\r\n" ..
"\r\n\r\n"
local c = base64.enc("nmap:" .. password)
data = data:format( self.host.ip, self.port.number, self.host.ip, c )
local status = self.socket:send( data )
if ( not(status) ) then
local err = brute.Error:new( "Failed to send data to DPAP server" )
err:setRetry( true )
return false, err
end
status, data = self.socket:receive()
if ( not(status) ) then
local err = brute.Error:new( "Failed to receive data from DPAP server" )
err:setRetry( true )
return false, err
end
if ( data:match("^HTTP/1.1 200 OK") ) then
return true, creds.Account:new(username, password, creds.State.VALID)
end
return false, brute.Error:new( "Incorrect password" )
end,
disconnect = function( self )
self.socket:close()
end,
}
local function checkEmptyPassword(host, port)
local d = Driver:new(host, port)
local status = d:connect()
if ( not(status) ) then
return false
end
status = d:login("", "")
d:disconnect()
return status
end
action = function(host, port)
if ( checkEmptyPassword(host, port) ) then
return "Library has no password"
end
local status, result
local engine = brute.Engine:new(Driver, host, port )
engine.options.firstonly = true
engine.options:setOption( "passonly", true )
engine.options.script_name = SCRIPT_NAME
status, result = engine:start()
return result
end