Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Impress remote discover #713

Closed
wants to merge 25 commits into
from

Conversation

Projects
None yet
3 participants

ahhchuu commented Feb 27, 2017

Script idea link:
https://secwiki.org/w/Nmap/Script_Ideas#impress-remote-discover

Example Output:
1599/tcp open libreoffice-impress-remote syn-ack LibreOffice Impress
| impress-remote-discover:
| Impress Version: 4.2.4.2
|_ Remote PIN: 1234

Version of LibreOffice Impress tested against: 4.2.4.2
https://downloadarchive.documentfoundation.org/libreoffice/old/4.2.4.2/

This is cool! I'll look closer in the morning, but here are my observations:

  • The "Firefox OS" string could really be anything, and functions kind of like a username in that it must match the PIN. Correct PIN with different ID string will not work. Guessing you grabbed this from the remote app? Could we make it a script-arg please?
  • Running the brute-force results in overwhelming the "Slide Show -> Impress Remote" menu. This is quite intrusive. At least it doesn't pop up a PIN prompt like I expected it to! Makes me wary of using this probe for service scan, though... Probably fine, I guess.
  • Requiring "bruteforce=true" seems a bit much. Can't we just allow "bruteforce" or "bruteforce=1" or basically any value that is truthy?

More feedback in the morning, I think.

It's been a couple days and I don't have any other feedback. Just the 2 changes:

  1. Make the client name a script-arg, with appropriate documentation.
  2. Let bruteforce be any true value, not only the literal string "true"

Thanks!

ahhchuu commented Mar 4, 2017 edited

Client Name is now a script-arg with the default still set to Firefox OS.

The bruteforce arg no longer requires a value, just needs to be present if a user wishes it to bruteforce the PIN. Still defaults to false and checks if the user has set the script-arg explicitly to false, just in case.

New example output:
1599/tcp open libreoffice-impress-remote syn-ack LibreOffice Impress
| impress-remote-discover:
| Remote PIN: 1234
| Client Name: Firefox OS
|_ Impress Version: 4.2.4.2

Thanks for the feedback Daniel!

Sweet! I made a few cosmetic changes and committed, should show up here soon.

  • More description of the PIN mechanism and what traces brute-forcing leaves
  • Removed "exploit" and "vuln" categories, since there's no exploit or vulnerability, just weak authentication.
  • Used stdnse.output_table to enforce consistent ordering of output.
  • made error output consistent with other scripts, using stdnse.verbose1 instead of returning "false"
  • Corrected use of stdnse.format_output (not needed for success case)
  • Called nmap.set_port_version to set detected version of LibreOffice in the VERSION field.

Also pushed a change to stdnse.lua to fix get_script_args, which wouldn't allow setting --script-args bruteforce though --script-args bruteforce=1 worked fine.

@nmap-bot nmap-bot closed this in 0b93e8d Mar 4, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment