Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Impress remote discover #713

wants to merge 25 commits into from

Impress remote discover #713

wants to merge 25 commits into from


Copy link

Script idea link:

Example Output:
1599/tcp open libreoffice-impress-remote syn-ack LibreOffice Impress
| impress-remote-discover:
| Impress Version:
|_ Remote PIN: 1234

Version of LibreOffice Impress tested against:

Copy link

This is cool! I'll look closer in the morning, but here are my observations:

  • The "Firefox OS" string could really be anything, and functions kind of like a username in that it must match the PIN. Correct PIN with different ID string will not work. Guessing you grabbed this from the remote app? Could we make it a script-arg please?
  • Running the brute-force results in overwhelming the "Slide Show -> Impress Remote" menu. This is quite intrusive. At least it doesn't pop up a PIN prompt like I expected it to! Makes me wary of using this probe for service scan, though... Probably fine, I guess.
  • Requiring "bruteforce=true" seems a bit much. Can't we just allow "bruteforce" or "bruteforce=1" or basically any value that is truthy?

More feedback in the morning, I think.

Copy link

@dmiller-nmap dmiller-nmap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's been a couple days and I don't have any other feedback. Just the 2 changes:

  1. Make the client name a script-arg, with appropriate documentation.
  2. Let bruteforce be any true value, not only the literal string "true"


Copy link

jhiebert commented Mar 4, 2017

Client Name is now a script-arg with the default still set to Firefox OS.

The bruteforce arg no longer requires a value, just needs to be present if a user wishes it to bruteforce the PIN. Still defaults to false and checks if the user has set the script-arg explicitly to false, just in case.

New example output:
1599/tcp open libreoffice-impress-remote syn-ack LibreOffice Impress
| impress-remote-discover:
| Remote PIN: 1234
| Client Name: Firefox OS
|_ Impress Version:

Thanks for the feedback Daniel!

Copy link

Sweet! I made a few cosmetic changes and committed, should show up here soon.

  • More description of the PIN mechanism and what traces brute-forcing leaves
  • Removed "exploit" and "vuln" categories, since there's no exploit or vulnerability, just weak authentication.
  • Used stdnse.output_table to enforce consistent ordering of output.
  • made error output consistent with other scripts, using stdnse.verbose1 instead of returning "false"
  • Corrected use of stdnse.format_output (not needed for success case)
  • Called nmap.set_port_version to set detected version of LibreOffice in the VERSION field.

Also pushed a change to stdnse.lua to fix get_script_args, which wouldn't allow setting --script-args bruteforce though --script-args bruteforce=1 worked fine.

@nmap-bot nmap-bot closed this in 0b93e8d Mar 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

3 participants