mailing list archives
Re: backorifice-brute NSE script
From: Patrick Donnelly <batrick () batbytes com>
Date: Mon, 2 May 2011 21:40:57 -0400
On Mon, May 2, 2011 at 6:32 PM, Gorjan Petrovski <mogi57 () gmail com> wrote:
I've been somewhat busy this weekend, and the result is a
backorifice-brute script that utilizes the brute library to guess
passwords against the BackOrifice service. The backorifice class
contains the basic functions for encryption and a try_password
function which sends an encrypted PING packet to the service and
checks whether the response is correct. This script is nearly
finished, since some things are still unclear to me:
The service itself can be configured to work on any port, and the only
way to verify that a BackOrifice service is running is to send an
encrypted PING packet using the correct password. What kind of a rule
should this script be initiated by?
Currently it's a shortport.port_or_service(31337, "BackOrifice",
"udp") , which obviously can't be run against any port. Nmap
recognizes a BackOrifice service only for an open|filtered 31337 port,
and the probe uses a PING packet encrypted with the default seed.
I liked Toni Ruottu's suggestion where the backorifice-brute script
updates the version info for the BackOrifice service, so then
backorifice-info can be automatically initiated once a password has
Would a backorifice-version script make sense (a script
backorifice-brute would depend on)? Do you have to have the correct
pwd/seed to determine if it is the BackOrifice service?
Should a brute script update version info?
Probably not. I think backorifice-version would be more appropriate if possible.
Which socket timeout is best for this kind of script? (I put 3000 ms)
Is the default (30 seconds I believe) not suitable?
Why shouldn't I put 50 or 100 bruteforcing threads?
The NSE engine only allows 20 concurrent connections at a time. You
can't do better than 20 unless you increase this limit using
--max-parallelism. Isn't there a brute library option to increase the
number of threads?
Should I post works-in-progress like this to nmap-dev, or only to my mentor?
It's encouraged to bring as much of the discussion as possible (or
desired) to nmap-dev so everyone has the opportunity to learn/to give
The example script output looks like this:
31337/udp open|filtered BackOrifice
| michael => Login correct
|_ Performed 10 guesses in 4 seconds, average tps: 2
This looks good. I like the script. Does anyone else have any comments on it?
- Patrick Donnelly
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/