I cleaned up and documented the script some more. The packets sent to the server over udp and tcp now both have NULL_AUTH credentials. The new version is available here.
So, my friend Ian Vitek enlightened me again. Apparently when the published application list is long it’s split up into multiple packets and the client needs to keep reading them until the magic byte at offset 31 is toggled to 1.
I have adjusted my script so that it checks for this and prints a complete list of published applications, instead of just the first packets. The script can be downloaded from here.
For more information on how to get it running, check my earlier posts or post a comment to the article.
Lua turned out to be quite entertaining so I have spent some time coding some more scripts for Nmap. The first script I finished was nfs-showmount.nse which can be used to query a remote server for any NFS shares:
nmap --script nfs-showmount -p 111 192.168.56.50
Interesting ports on yoda.localdomain (192.168.56.50):
PORT STATE SERVICE
111/tcp open rpcbind
Host script results:
| /home/storage/backup 192.168.56.0/255.255.255.0 192.168.56.66/255.255.255.255
|_ /home 192.168.56.0/255.255.255.0
The next one citrix-published-applications, queries a Citrix server for any published applications:
sudo nmap -sU --script citrix-published-applications -p 1604 192.168.56.5
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-24 22:09 CET
Interesting ports on 192.168.56.5:
PORT STATE SERVICE
1604/udp open unknown
|_ registry editor
I just finished a patch against Romain Raboin’s HTTP Digest authentication patch for John the Ripper. Romain’s patch is also included in the jumbo patch available from the John the Ripper main page. The patch I made is very small and simply checks if the Quality of Protection (qop) parameter was supplied in the input or not. If it’s not it makes the appropriate changes so that the response is computed per the simpler RFC 2069 standard instead.
I received some great feedback from Ron Bowes over at SkullSecurity, pointing out some redundant code and a better approach of achieving what I was doing. I have changed the code according to his suggestions and made it available for download here.
For more details on how to use the script check the first article over here.
As I’ve been tinkering with VoIP for a while I decided to write a version detection script for Nmap. It’s my first stab at both Nmap scripting and the Lua programming language so don’t expect to much. The limited tests I have made show that it does a reasonable job and returns any version information present in the server response. The script can be found here.
While testing another IP PBX product I found some bugs in my applications that I have now fixed. While fixing these bugs I also finished some additional changes that I have been working on. I also added an additional method of determining if an account is valid or not that I found while testing the other PBX product.
More details are available under the VoIPTK page.
I finally got to packaging and releasing my small VoIP toolkit. Currently it’s not much of a toolkit as it consist of only two tools. This will hopefully change in future versions.
The 0.1 version consists of SIPUserGuess and VoIPPwGuess. The first allows for exploitation of the recent vulnerability that I found in Asterisk (AST-2009-008) in order to enumerate valid usernames. The other allows you to audit password quality against the SIP and IAX2 protocols.
I found a security hole in the Asterisk SIP implementation last week. I was happy to hear that it has already been patched and released. The vulnerability allows an attacker to determine whether a given username is valid or not. With knowledge of existing usernames a more efficient password guessing attack can be mounted against the system.
The full advisory can be read here:
I have been working on some very basic VoIP tools lately which amongst other things have this attack implemented. I’ll hopefully get to releasing it in the near future.