Hi everyone,
I need help testing whether a new plugin I am writing works. It tries to if a
PCAnywhere host has a password set, I put it all together from itraffic dump,
so I dont know how well it works on anything but a single system. If you
have a PC Anywhere system somewhere on your network and the permission to run
assessment tools on it, can you do please the following:
1. Take the code at the end of this email and paste in into a file.
2. Setup PCAnywere to do No Caller Authentication
3. Run nasl /path/to/plugin.nasl -t <host> and make sure it comes back as
vulnerable.
4. Change PCAnywhere to Windows Auth
5. Run plugin, report which Exit Level it stops at and the PCA version (or
that it screwed up and false positived)
6. Change PCAnywhere to PCA Auth
7. Run plugin, report exit level.
I would really appreciate a tcpdump-style log of the network traffic but I
would understand if its not feasible. Thanks in advance!
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play
--- cut here ---
# this code needs some real testing, the box I was using
# went down hard and I have to reinstall. to anyone using
# vmware with win2k advanced server, dont install PCA 9.0!
# the plugin code didnt crash it, starting the service after rebooting did
#
# The script code starts here
#
cl[0] = raw_string (0x00, 0x00, 0x00, 0x00);
sv[0] = "ter...";
cl[1] = raw_string (0x6f, 0x06, 0xff);
sv[1] = raw_string (0x1b, 0b61);
cl[2] = raw_string (0x6f, 0x61, 0x00, 0x09, 0x00, 0xfe, 0x00,
0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00);
sv[2] = raw_string (0x1b, 0x62);
cl[3] = raw_string (0x6f, 0x62, 0x01, 0x02, 0x00, 0x00, 0x00);
sv[3] = raw_string (0x65, 0x6e);
# 0x20 = client name (actual first last name) / 0x41 = clients host name
cl[4] = raw_string(0x6f, 0x49, 0x00, 0x4c, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x09, 0xff, 0x05, 0x00, 0x00, 0x00,
0x60, 0x24, 0x00, 0x09, 0x00, 0x00, 0x00, 0x06,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x31);
sv[4] = raw_string(0x1b, 0x16);
cl[5] = raw_string(0x6f, 0x73, 0x02, 0x01, 0x00, 0x02);
sv[5] = "Service Pack";
port = 5631;
if(!get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if(!soc) exit(0);
for(d=0;cl[d];d=d+1)
{
display(":: entering negotiation level ", d, "\n");
send(socket:soc, data:cl[d]);
r = recv(socket:soc, length:4096);
if (! sv[d] >< r)
{
close(soc);
display("exiting at level ", d, "\n");
exit(0);
}
}
display("vulnerable!\n");
----------------
I need help testing whether a new plugin I am writing works. It tries to if a
PCAnywhere host has a password set, I put it all together from itraffic dump,
so I dont know how well it works on anything but a single system. If you
have a PC Anywhere system somewhere on your network and the permission to run
assessment tools on it, can you do please the following:
1. Take the code at the end of this email and paste in into a file.
2. Setup PCAnywere to do No Caller Authentication
3. Run nasl /path/to/plugin.nasl -t <host> and make sure it comes back as
vulnerable.
4. Change PCAnywhere to Windows Auth
5. Run plugin, report which Exit Level it stops at and the PCA version (or
that it screwed up and false positived)
6. Change PCAnywhere to PCA Auth
7. Run plugin, report exit level.
I would really appreciate a tcpdump-style log of the network traffic but I
would understand if its not feasible. Thanks in advance!
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play
--- cut here ---
# this code needs some real testing, the box I was using
# went down hard and I have to reinstall. to anyone using
# vmware with win2k advanced server, dont install PCA 9.0!
# the plugin code didnt crash it, starting the service after rebooting did
#
# The script code starts here
#
cl[0] = raw_string (0x00, 0x00, 0x00, 0x00);
sv[0] = "ter...";
cl[1] = raw_string (0x6f, 0x06, 0xff);
sv[1] = raw_string (0x1b, 0b61);
cl[2] = raw_string (0x6f, 0x61, 0x00, 0x09, 0x00, 0xfe, 0x00,
0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00);
sv[2] = raw_string (0x1b, 0x62);
cl[3] = raw_string (0x6f, 0x62, 0x01, 0x02, 0x00, 0x00, 0x00);
sv[3] = raw_string (0x65, 0x6e);
# 0x20 = client name (actual first last name) / 0x41 = clients host name
cl[4] = raw_string(0x6f, 0x49, 0x00, 0x4c, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x09, 0xff, 0x05, 0x00, 0x00, 0x00,
0x60, 0x24, 0x00, 0x09, 0x00, 0x00, 0x00, 0x06,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x31);
sv[4] = raw_string(0x1b, 0x16);
cl[5] = raw_string(0x6f, 0x73, 0x02, 0x01, 0x00, 0x02);
sv[5] = "Service Pack";
port = 5631;
if(!get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if(!soc) exit(0);
for(d=0;cl[d];d=d+1)
{
display(":: entering negotiation level ", d, "\n");
send(socket:soc, data:cl[d]);
r = recv(socket:soc, length:4096);
if (! sv[d] >< r)
{
close(soc);
display("exiting at level ", d, "\n");
exit(0);
}
}
display("vulnerable!\n");
----------------
