New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Impress remote discover #713

Closed
wants to merge 25 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@ahhchuu

ahhchuu commented Feb 27, 2017

Script idea link:
https://secwiki.org/w/Nmap/Script_Ideas#impress-remote-discover

Example Output:
1599/tcp open libreoffice-impress-remote syn-ack LibreOffice Impress
| impress-remote-discover:
| Impress Version: 4.2.4.2
|_ Remote PIN: 1234

Version of LibreOffice Impress tested against: 4.2.4.2
https://downloadarchive.documentfoundation.org/libreoffice/old/4.2.4.2/

@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Mar 2, 2017

This is cool! I'll look closer in the morning, but here are my observations:

  • The "Firefox OS" string could really be anything, and functions kind of like a username in that it must match the PIN. Correct PIN with different ID string will not work. Guessing you grabbed this from the remote app? Could we make it a script-arg please?
  • Running the brute-force results in overwhelming the "Slide Show -> Impress Remote" menu. This is quite intrusive. At least it doesn't pop up a PIN prompt like I expected it to! Makes me wary of using this probe for service scan, though... Probably fine, I guess.
  • Requiring "bruteforce=true" seems a bit much. Can't we just allow "bruteforce" or "bruteforce=1" or basically any value that is truthy?

More feedback in the morning, I think.

dmiller-nmap commented Mar 2, 2017

This is cool! I'll look closer in the morning, but here are my observations:

  • The "Firefox OS" string could really be anything, and functions kind of like a username in that it must match the PIN. Correct PIN with different ID string will not work. Guessing you grabbed this from the remote app? Could we make it a script-arg please?
  • Running the brute-force results in overwhelming the "Slide Show -> Impress Remote" menu. This is quite intrusive. At least it doesn't pop up a PIN prompt like I expected it to! Makes me wary of using this probe for service scan, though... Probably fine, I guess.
  • Requiring "bruteforce=true" seems a bit much. Can't we just allow "bruteforce" or "bruteforce=1" or basically any value that is truthy?

More feedback in the morning, I think.

@dmiller-nmap

It's been a couple days and I don't have any other feedback. Just the 2 changes:

  1. Make the client name a script-arg, with appropriate documentation.
  2. Let bruteforce be any true value, not only the literal string "true"

Thanks!

@ahhchuu

This comment has been minimized.

Show comment
Hide comment
@ahhchuu

ahhchuu Mar 4, 2017

Client Name is now a script-arg with the default still set to Firefox OS.

The bruteforce arg no longer requires a value, just needs to be present if a user wishes it to bruteforce the PIN. Still defaults to false and checks if the user has set the script-arg explicitly to false, just in case.

New example output:
1599/tcp open libreoffice-impress-remote syn-ack LibreOffice Impress
| impress-remote-discover:
| Remote PIN: 1234
| Client Name: Firefox OS
|_ Impress Version: 4.2.4.2

Thanks for the feedback Daniel!

ahhchuu commented Mar 4, 2017

Client Name is now a script-arg with the default still set to Firefox OS.

The bruteforce arg no longer requires a value, just needs to be present if a user wishes it to bruteforce the PIN. Still defaults to false and checks if the user has set the script-arg explicitly to false, just in case.

New example output:
1599/tcp open libreoffice-impress-remote syn-ack LibreOffice Impress
| impress-remote-discover:
| Remote PIN: 1234
| Client Name: Firefox OS
|_ Impress Version: 4.2.4.2

Thanks for the feedback Daniel!

@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Mar 4, 2017

Sweet! I made a few cosmetic changes and committed, should show up here soon.

  • More description of the PIN mechanism and what traces brute-forcing leaves
  • Removed "exploit" and "vuln" categories, since there's no exploit or vulnerability, just weak authentication.
  • Used stdnse.output_table to enforce consistent ordering of output.
  • made error output consistent with other scripts, using stdnse.verbose1 instead of returning "false"
  • Corrected use of stdnse.format_output (not needed for success case)
  • Called nmap.set_port_version to set detected version of LibreOffice in the VERSION field.

Also pushed a change to stdnse.lua to fix get_script_args, which wouldn't allow setting --script-args bruteforce though --script-args bruteforce=1 worked fine.

dmiller-nmap commented Mar 4, 2017

Sweet! I made a few cosmetic changes and committed, should show up here soon.

  • More description of the PIN mechanism and what traces brute-forcing leaves
  • Removed "exploit" and "vuln" categories, since there's no exploit or vulnerability, just weak authentication.
  • Used stdnse.output_table to enforce consistent ordering of output.
  • made error output consistent with other scripts, using stdnse.verbose1 instead of returning "false"
  • Corrected use of stdnse.format_output (not needed for success case)
  • Called nmap.set_port_version to set detected version of LibreOffice in the VERSION field.

Also pushed a change to stdnse.lua to fix get_script_args, which wouldn't allow setting --script-args bruteforce though --script-args bruteforce=1 worked fine.

@nmap-bot nmap-bot closed this in 0b93e8d Mar 4, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment