Home page logo

nmap-dev logo Nmap Development mailing list archives

[NSE] Idea: Radmin brute force password script
From: Pavel Zhovner <pavel () zhovner com>
Date: Thu, 28 Apr 2011 14:23:37 +0300

Hello, folks. I have a proposal.

Radmin — remote control service for Windows. The same as microsft RDP
but with remote access to file system, command interpreter and more.
Unlike RDP, connection to Radmin is sneaky. It means all features
(desktop sharing, file sharing, cmd.exe) not visible for user.

It will be great to have script for guessing password. Difficult is
that Radmin protocol is proprietary and there is no open protocol
specification, but it alredy successfully reverse-engineered. It use
Twofish cipher for connection encryption and radmin version 3.x use
SRP (RFC 2945) for authentication.

 In attachment radmin ver. 2.x, 3.x authentication module written in C
taken from opensource windows tool Lamescan. I try to translate
comments in code from russian. I'm also attach Lamescan sources.

If someone interested of this, I can give the playground with all
versions radmin and contact with guy who worked on

Attachment: radmin.c

Attachment: radmin.h

Attachment: lamescan3_src.tar.gz

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]