Impress remote discover

[jhiebert]

Script idea link:
https://secwiki.org/w/Nmap/Script_Ideas#impress-remote-discover

Example Output:
1599/tcp open libreoffice-impress-remote syn-ack LibreOffice Impress
| impress-remote-discover:
| Impress Version: 4.2.4.2
|_ Remote PIN: 1234

Version of LibreOffice Impress tested against: 4.2.4.2
https://downloadarchive.documentfoundation.org/libreoffice/old/4.2.4.2/

[dmiller-nmap]

This is cool! I'll look closer in the morning, but here are my observations:

• The "Firefox OS" string could really be anything, and functions kind of like a username in that it must match the PIN. Correct PIN with different ID string will not work. Guessing you grabbed this from the remote app? Could we make it a script-arg please?
• Running the brute-force results in overwhelming the "Slide Show -> Impress Remote" menu. This is quite intrusive. At least it doesn't pop up a PIN prompt like I expected it to! Makes me wary of using this probe for service scan, though... Probably fine, I guess.
• Requiring "bruteforce=true" seems a bit much. Can't we just allow "bruteforce" or "bruteforce=1" or basically any value that is truthy?

More feedback in the morning, I think.

[dmiller-nmap]

It's been a couple days and I don't have any other feedback. Just the 2 changes:

1. Make the client name a script-arg, with appropriate documentation.
2. Let bruteforce be any true value, not only the literal string "true"

Thanks!

[jhiebert]

Client Name is now a script-arg with the default still set to Firefox OS.

The bruteforce arg no longer requires a value, just needs to be present if a user wishes it to bruteforce the PIN. Still defaults to false and checks if the user has set the script-arg explicitly to false, just in case.

New example output:
1599/tcp open libreoffice-impress-remote syn-ack LibreOffice Impress
| impress-remote-discover:
| Remote PIN: 1234
| Client Name: Firefox OS
|_ Impress Version: 4.2.4.2

Thanks for the feedback Daniel!

[dmiller-nmap]

Sweet! I made a few cosmetic changes and committed, should show up here soon.

• More description of the PIN mechanism and what traces brute-forcing leaves
• Removed "exploit" and "vuln" categories, since there's no exploit or vulnerability, just weak authentication.
• Used stdnse.output_table to enforce consistent ordering of output.
• made error output consistent with other scripts, using stdnse.verbose1 instead of returning "false"
• Corrected use of stdnse.format_output (not needed for success case)
• Called nmap.set_port_version to set detected version of LibreOffice in the VERSION field.

Also pushed a change to stdnse.lua to fix get_script_args, which wouldn't allow setting --script-args bruteforce though --script-args bruteforce=1 worked fine.