Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Impress remote discover #713

Closed
wants to merge 25 commits into from
Closed

Impress remote discover #713

wants to merge 25 commits into from

Conversation

jhiebert
Copy link

Script idea link:
https://secwiki.org/w/Nmap/Script_Ideas#impress-remote-discover

Example Output:
1599/tcp open libreoffice-impress-remote syn-ack LibreOffice Impress
| impress-remote-discover:
| Impress Version: 4.2.4.2
|_ Remote PIN: 1234

Version of LibreOffice Impress tested against: 4.2.4.2
https://downloadarchive.documentfoundation.org/libreoffice/old/4.2.4.2/

jhiebert and others added 23 commits February 22, 2017 21:34
@jhiebert
Added LibreOffice Impress remote service probe, PIN bruteforcer, PIN …
8e8dd51 
…tester, and server version discovery
@jhiebert
Modified description and categories
18b2f86
@jhiebert
Added a few comments
a6607f3
@mogigoma
Fix all errors raised by nmap-check.sh.
d915c54
@mogigoma
Fix spacing and indentation issues.
4c51be7
@mogigoma
Move variable closer to its usage.
44e1cb3
@mogigoma
Remove Vim settings, should be in the editor's config not the file.
b6bfcc7
@mogigoma
Tweak @Usage line, and move args below output.
e37fc89
@mogigoma
Order arguments alphabetically in docs and evaluation.
f9832de
@mogigoma
Switch to idiomatic 'a = a or b' for defaults.
49e0c72
@mogigoma
Removed unnecessary semicolons.
20d6718
@mogigoma
Expose script-args error to the user.
7838c7c
@mogigoma
Add error checking.
c4c6c23
@mogigoma
Improve error checking.
5a97bad
@mogigoma
Provide status for long-running operation.
67097c9
@mogigoma
Improve error handling.
ff1c1bf
@mogigoma
Handle nonsensical argument combination.
ee2a209
@mogigoma
Make binary operator spacing consistent.
6c0dd83
@jhiebert
Added email
0d9d1fc
@jhiebert
Added a few more comments
c835891
@jhiebert
Unified capitalization in error messages
8d9529d
@jhiebert
Fixed @output
2d134ca
@jhiebert
Added table formatted output.
6c5f17c
@dmiller-nmap
Copy link

This is cool! I'll look closer in the morning, but here are my observations:

  • The "Firefox OS" string could really be anything, and functions kind of like a username in that it must match the PIN. Correct PIN with different ID string will not work. Guessing you grabbed this from the remote app? Could we make it a script-arg please?
  • Running the brute-force results in overwhelming the "Slide Show -> Impress Remote" menu. This is quite intrusive. At least it doesn't pop up a PIN prompt like I expected it to! Makes me wary of using this probe for service scan, though... Probably fine, I guess.
  • Requiring "bruteforce=true" seems a bit much. Can't we just allow "bruteforce" or "bruteforce=1" or basically any value that is truthy?

More feedback in the morning, I think.

dmiller-nmap
dmiller-nmap requested changes Mar 4, 2017
View reviewed changes
Copy link

@dmiller-nmap dmiller-nmap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's been a couple days and I don't have any other feedback. Just the 2 changes:

  1. Make the client name a script-arg, with appropriate documentation.
  2. Let bruteforce be any true value, not only the literal string "true"

Thanks!

@jhiebert
Copy link
Author

jhiebert commented Mar 4, 2017
edited

Client Name is now a script-arg with the default still set to Firefox OS.

The bruteforce arg no longer requires a value, just needs to be present if a user wishes it to bruteforce the PIN. Still defaults to false and checks if the user has set the script-arg explicitly to false, just in case.

New example output:
1599/tcp open libreoffice-impress-remote syn-ack LibreOffice Impress
| impress-remote-discover:
| Remote PIN: 1234
| Client Name: Firefox OS
|_ Impress Version: 4.2.4.2

Thanks for the feedback Daniel!

@dmiller-nmap
Copy link

Sweet! I made a few cosmetic changes and committed, should show up here soon.

  • More description of the PIN mechanism and what traces brute-forcing leaves
  • Removed "exploit" and "vuln" categories, since there's no exploit or vulnerability, just weak authentication.
  • Used stdnse.output_table to enforce consistent ordering of output.
  • made error output consistent with other scripts, using stdnse.verbose1 instead of returning "false"
  • Corrected use of stdnse.format_output (not needed for success case)
  • Called nmap.set_port_version to set detected version of LibreOffice in the VERSION field.

Also pushed a change to stdnse.lua to fix get_script_args, which wouldn't allow setting --script-args bruteforce though --script-args bruteforce=1 worked fine.

@nmap-bot nmap-bot closed this in 0b93e8d Mar 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmiller-nmap dmiller-nmap dmiller-nmap approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jhiebert @dmiller-nmap @mogigoma