PageRenderTime 26ms CodeModel.GetById 30ms RepoModel.GetById 1ms app.codeStats 0ms

/nselib/xmpp.lua

https://gitlab.com/g10h4ck/nmap-gsoc2015
Lua | 455 lines | 336 code | 35 blank | 84 comment | 35 complexity | ddf28ca5f1d47a2d3082d52d22477035 MD5 | raw file
Possible License(s): BSD-3-Clause, GPL-2.0, Apache-2.0, LGPL-2.0, LGPL-2.1, MIT 
    

  1. --- A XMPP (Jabber) library, implementing a minimal subset of the protocol
    2. 

  2. -- enough to do authentication brute-force.
    3. 

  3. --
    4. 

  4. -- The XML parsing of tags isn't optimal but there's no other easy way
    5. 

  5. -- (nulls or line-feeds) to match the end of a message. The parse_tag
    6. 

  6. -- method in the XML class was borrowed from the initial xmpp.nse
    7. 

  7. -- script written by Vasiliy Kulikov.
    8. 

  8. --
    9. 

  9. -- The library consist of the following classes:
    10. 

  10. -- * <code>XML</code> - containing a minimal XML parser written by
    11. 

  11. --                     Vasiliy Kulikov.
    12. 

  12. -- * <code>TagProcessor</code> - Contains processing code for common tags
    13. 

  13. -- * <code>XMPP</code> - containing the low-level functions used to
    14. 

  14. --                       communicate with the Jabber server.
    15. 

  15. -- * <code>Helper</code> - containing the main interface for script
    16. 

  16. --                         writers
    17. 

  17. --
    18. 

  18. -- The following sample illustrates how to use the library to authenticate
    19. 

  19. -- to a XMPP sever:
    20. 

  20. -- <code>
    21. 

  21. -- local helper = xmpp.Helper:new(host, port, options)
    22. 

  22. -- local status, err = helper:connect()
    23. 

  23. -- status, err = helper:login(user, pass, "DIGEST-MD5")
    24. 

  24. -- </code>
    25. 

  25. --
    26. 

  26. -- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html
    27. 

  27. -- @author Patrik Karlsson <patrik@cqure.net>
    28. 

  28. 

  29. -- Version 0.2
    30. 

  30. -- Created 07/19/2011 - v0.1 - Created by Patrik Karlsson
    31. 

  31. -- Revised 07/22/2011 - v0.2 - Added TagProcessors and two new auth mechs:
    32. 

  32. --                             CRAM-MD5 and LOGIN <patrik@cqure.net>
    33. 

  33. 

  34. local base64 = require "base64"
    35. 

  35. local nmap = require "nmap"
    36. 

  36. local sasl = require "sasl"
    37. 

  37. local stdnse = require "stdnse"
    38. 

  38. local string = require "string"
    39. 

  39. local table = require "table"
    40. 

  40. _ENV = stdnse.module("xmpp", stdnse.seeall)
    41. 

  41. 

  42. 

  43. -- This is a trivial XML processor written by Vasiliy Kulikov.  It doesn't
    44. 

  44. -- fully support XML, but it should be sufficient for the basic XMPP
    45. 

  45. -- stream handshake.  If you see stanzas with uncommon symbols, feel
    46. 

  46. -- free to enhance these regexps.
    47. 

  47. XML = {
    48. 

  48. 

  49.   ---XML tag table
    50. 

  50.   --@class table
    51. 

  51.   --@name XML.tag
    52. 

  52.   --@field name The tag name
    53. 

  53.   --@field attrs The tag attributes as a key-value table
    54. 

  54.   --@field start True if this was an opening tag.
    55. 

  55.   --@field contents The contents of the tag
    56. 

  56.   --@field finish true if the tag was closed.
    57. 

  57. 

  58.   ---Parse an XML tag
    59. 

  59.   --@name XML.parse_tag
    60. 

  60.   --@param s String containing the XML tag
    61. 

  61.   --@return XML tag table
    62. 

  62.   --@see XML.tag
    63. 

  63.   parse_tag = function(s)
    64. 

  64.     local _, _, contents, empty, name = string.find(s, "([^<]*)<(/?)([?:%w-]+)")
    65. 

  65.     local attrs = {}
    66. 

  66.     if not name then
    67. 

  67.       return
    68. 

  68.     end
    69. 

  69.     for k, v in string.gmatch(s, "%s([%w:]+)='([^']+)'") do
    70. 

  70.       attrs[k] = v
    71. 

  71.     end
    72. 

  72.     for k, v in string.gmatch(s, "%s([%w:]+)=\"([^\"]+)\"") do
    73. 

  73.       attrs[k] = v
    74. 

  74.     end
    75. 

  75. 

  76.     local finish = (empty ~= "") or (s:sub(#s-1) == '/>')
    77. 

  77. 

  78.     return { name = name,
    79. 

  79.     attrs = attrs,
    80. 

  80.     start = (empty == ""),
    81. 

  81.     contents = contents,
    82. 

  82.     finish = finish }
    83. 

  83.   end,
    84. 

  84. 

  85. }
    86. 

  86. 

  87. TagProcessor = {
    88. 

  88. 

  89.   ["failure"] = function(socket, tag)
    90. 

  90.     return TagProcessor["success"](socket,tag)
    91. 

  91.   end,
    92. 

  92. 

  93.   ["success"] = function(socket, tag)
    94. 

  94.     if ( tag.finish ) then return true end
    95. 

  95.     local newtag
    96. 

  96.     repeat
    97. 

  97.       local status, data = socket:receive_buf(">", true)
    98. 

  98.       if ( not(status) ) then
    99. 

  99.         return false, ("ERROR: Failed to process %s tag"):format(tag.name)
    100. 

  100.       end
    101. 

  101.       newtag = XML.parse_tag(data)
    102. 

  102.     until( newtag.finish and newtag.name == tag.name )
    103. 

  103.     if ( newtag.name == tag.name ) then return true, tag end
    104. 

  104.     return false, ("ERROR: Failed to process %s tag"):format(tag.name)
    105. 

  105.   end,
    106. 

  106. 

  107.   ["challenge"] = function(socket, tag)
    108. 

  108.     local status, data = socket:receive_buf(">", true)
    109. 

  109.     if ( not(status) ) then return false, "ERROR: Failed to read challenge tag" end
    110. 

  110.     local tag = XML.parse_tag(data)
    111. 

  111. 

  112.     if ( not(status) or tag.name ~= "challenge" ) then
    113. 

  113.       return false, "ERROR: Failed to process challenge"
    114. 

  114.     end
    115. 

  115.     return status, (tag.contents and base64.dec(tag.contents))
    116. 

  116.   end,
    117. 

  117. 

  118. 

  119. }
    120. 

  120. 

  121. XMPP = {
    122. 

  122. 

  123.   --- Creates a new instance of the XMPP class
    124. 

  124.   --
    125. 

  125.   -- @name XMPP.new
    126. 

  126.   -- @param host table as received by the action function
    127. 

  127.   -- @param port table as received by the action function
    128. 

  128.   -- @param options table containing options, currently supported
    129. 

  129.   -- * <code>timeout</code> - sets the socket timeout
    130. 

  130.   -- * <code>servername</code> - sets the server name to use in
    131. 

  131.   --                            communication with the server.
    132. 

  132.   -- * <code>starttls</code> - start TLS handshake even if it is optional.
    133. 

  133.   new = function(self, host, port, options)
    134. 

  134.     local o = { host = host,
    135. 

  135.     port = port,
    136. 

  136.     options = options or {},
    137. 

  137.     auth = { mechs = {} } }
    138. 

  138.     o.options.timeout = o.options.timeout and o.options.timeout or 10
    139. 

  139.     o.servername = stdnse.get_hostname(host) or o.options.servername
    140. 

  140.     setmetatable(o, self)
    141. 

  141.     self.__index = self
    142. 

  142.     return o
    143. 

  143.   end,
    144. 

  144. 

  145.   --- Sends data to XMPP server
    146. 

  146.   -- @name XMPP.send
    147. 

  147.   -- @param data string containing data to send to server
    148. 

  148.   -- @return status true on success false on failure
    149. 

  149.   -- @return err string containing error message
    150. 

  150.   send = function(self, data)
    151. 

  151. 

  152.     -- this ain't pretty, but we try to "flush" what's left of the receive
    153. 

  153.     -- buffer, prior to send. This way we account for not reading to the
    154. 

  154.     -- end of one message resulting in the next read reading from our
    155. 

  155.     -- previous message.
    156. 

  156.     self.socket:set_timeout(1)
    157. 

  157.     repeat
    158. 

  158.       local status = self.socket:receive_buf("\0", false)
    159. 

  159.     until(not(status))
    160. 

  160.     self.socket:set_timeout(self.options.timeout * 1000)
    161. 

  161. 

  162.     return self.socket:send(data)
    163. 

  163.   end,
    164. 

  164. 

  165.   --- Receives a XML tag from the server
    166. 

  166.   --
    167. 

  167.   -- @name XMPP.receive_tag
    168. 

  168.   -- @param tag [optional] if unset, receives the next available tag
    169. 

  169.   --            if set, reads until the given tag has been found
    170. 

  170.   -- @param close [optional] if set, matches a closing tag
    171. 

  171.   -- @return true on success, false on error
    172. 

  172.   -- @return The XML tag table, or error message
    173. 

  173.   -- @see XML.tag
    174. 

  174.   receive_tag = function(self, tag, close)
    175. 

  175.     local result
    176. 

  176.     repeat
    177. 

  177.       local status, data = self.socket:receive_buf(">", true)
    178. 

  178.       if ( not(status) ) then return false, data end
    179. 

  179.       result = XML.parse_tag(data)
    180. 

  180.     until( ( not(tag) and (close == nil or result.finish == close ) ) or
    181. 

  181.       ( tag == result.name and ( close == nil or result.finish == close ) ) )
    182. 

  182.     return true, result
    183. 

  183.   end,
    184. 

  184. 

  185.   --- Connects to the XMPP server
    186. 

  186.   -- @name XMPP.connect
    187. 

  187.   -- @return status true on success, false on failure
    188. 

  188.   -- @return err string containing an error message if status is false
    189. 

  189.   connect = function(self)
    190. 

  190.     assert(self.servername,
    191. 

  191.     "Cannot connect to XMPP server without valid server name")
    192. 

  192. 

  193.     -- we may be reconnecting using SSL
    194. 

  194.     if ( not(self.socket) ) then
    195. 

  195.       self.socket = nmap.new_socket()
    196. 

  196.       self.socket:set_timeout(self.options.timeout * 1000)
    197. 

  197.       local status, err = self.socket:connect(self.host, self.port)
    198. 

  198.       if ( not(status) ) then
    199. 

  199.         return false, err
    200. 

  200.       end
    201. 

  201.     end
    202. 

  202.     local data = ("<?xml version='1.0' ?><stream:stream to='%s' xmlns='jabber:client'" ..
    203. 

  203.     " xmlns:stream='http://etherx.jabber.org/streams'" ..
    204. 

  204.     " version='1.0'>"):format(self.servername)
    205. 

  205. 

  206.     local status, err = self:send(data)
    207. 

  207.     if ( not(status) ) then return false, "ERROR: Failed to connect to server" end
    208. 

  208. 

  209.     local version, start_tls
    210. 

  210.     repeat
    211. 

  211.       local status, tag = self:receive_tag()
    212. 

  212.       if ( not(status) ) then return false, "ERROR: Failed to connect to server" end
    213. 

  213. 

  214.       if ( tag.name == "stream:stream" ) then
    215. 

  215.         version = tag.attrs and tag.attrs.version
    216. 

  216.       elseif ( tag.name == "starttls" and tag.start ) then
    217. 

  217.         status, tag = self:receive_tag()
    218. 

  218.         if ( not(status) ) then
    219. 

  219.           return false, "ERROR: Failed to connect to server"
    220. 

  220.         end
    221. 

  221.         if ( tag.name ~= "starttls" ) then
    222. 

  222.           start_tls = tag.name
    223. 

  223.         else
    224. 

  224.           start_tls = "optional"
    225. 

  225.         end
    226. 

  226.       elseif ( tag.name == "mechanism" and tag.finish ) then
    227. 

  227.         self.auth.mechs[tag.contents] = true
    228. 

  228.       end
    229. 

  229.     until(tag.name == "stream:features" and tag.finish)
    230. 

  230. 

  231.     if ( version ~= "1.0" ) then
    232. 

  232.       return false, "ERROR: Only version 1.0 is supported"
    233. 

  233.     end
    234. 

  234. 

  235.     if ( start_tls == "required" or self.options.starttls) then
    236. 

  236.       status, err = self:send("<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>")
    237. 

  237.       if ( not(status) ) then return false, "ERROR: Failed to initiate STARTTLS" end
    238. 

  238.       local status, tag = self:receive_tag()
    239. 

  239.       if ( not(status) ) then return false, "ERROR: Failed to receive from server" end
    240. 

  240.       if ( tag.name == "proceed" ) then
    241. 

  241.         status, err = self.socket:reconnect_ssl()
    242. 

  242.         self.options.starttls = false
    243. 

  243.         return self:connect()
    244. 

  244.       end
    245. 

  245.     end
    246. 

  246. 

  247.     return true
    248. 

  248.   end,
    249. 

  249. 

  250.   --- Logs in to the XMPP server
    251. 

  251.   --
    252. 

  252.   -- @name XMPP.login
    253. 

  253.   -- @param username string
    254. 

  254.   -- @param password string
    255. 

  255.   -- @param mech string containing a supported authentication mechanism
    256. 

  256.   -- @return status true on success, false on failure
    257. 

  257.   -- @return err string containing error message if status is false
    258. 

  258.   login = function(self, username, password, mech)
    259. 

  259.     assert(mech == "PLAIN" or
    260. 

  260.     mech == "DIGEST-MD5" or
    261. 

  261.     mech == "CRAM-MD5" or
    262. 

  262.     mech == "LOGIN",
    263. 

  263.     "Unsupported authentication mechanism")
    264. 

  264. 

  265.     local auth = ("<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' " ..
    266. 

  266.     "mechanism='%s'/>"):format(mech)
    267. 

  267. 

  268.     -- we currently don't do anything with the realm
    269. 

  269.     local realm
    270. 

  270. 

  271.     -- we need to cut the @domain.tld from the username
    272. 

  272.     if ( username:match("@") ) then
    273. 

  273.       username, realm = username:match("^(.*)@(.*)$")
    274. 

  274.     end
    275. 

  275. 

  276.     local status, result
    277. 

  277. 

  278.     if ( mech == "PLAIN" ) then
    279. 

  279.       local mech_params = { username, password }
    280. 

  280.       local auth_data = sasl.Helper:new(mech):encode(table.unpack(mech_params))
    281. 

  281.       auth = ("<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' " ..
    282. 

  282.       "mechanism='%s'>%s</auth>"):format(mech, base64.enc(auth_data))
    283. 

  283. 

  284.       status, result = self.socket:send(auth)
    285. 

  285.       if ( not(status) ) then return false, "ERROR: Failed to send SASL PLAIN authentication" end
    286. 

  286. 

  287.       status, result = self:receive_tag()
    288. 

  288.       if ( not(status) ) then return false, "ERROR: Failed to receive login response" end
    289. 

  289. 

  290.       if ( result.name == "failure" ) then
    291. 

  291.         status = TagProcessor[result.name](self.socket, result)
    292. 

  292.       end
    293. 

  293.     else
    294. 

  294.       local status, err = self.socket:send(auth)
    295. 

  295.       if(not(status)) then return false, "ERROR: Failed to initiate SASL login" end
    296. 

  296. 

  297.       local chall
    298. 

  298.       status, result = self:receive_tag()
    299. 

  299.       if ( not(status) ) then return false, "ERROR: Failed to retrieve challenge" end
    300. 

  300.       status, chall = TagProcessor[result.name](self.socket, result)
    301. 

  301. 

  302.       if ( mech == "LOGIN" ) then
    303. 

  303.         if ( chall ~= "User Name" ) then
    304. 

  304.           return false, ("ERROR: Login expected 'User Name' received: %s"):format(chall)
    305. 

  305.         end
    306. 

  306.         self.socket:send("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>" ..
    307. 

  307.         base64.enc(username) ..
    308. 

  308.         "</response>")
    309. 

  309. 

  310.         status, result = self:receive_tag()
    311. 

  311.         if ( not(status) or result.name ~= "challenge") then
    312. 

  312.           return false, "ERROR: Receiving tag from server"
    313. 

  313.         end
    314. 

  314.         status, chall = TagProcessor[result.name](self.socket, result)
    315. 

  315. 

  316.         if ( chall ~= "Password" ) then
    317. 

  317.           return false, ("ERROR: Login expected 'Password' received: %s"):format(chall)
    318. 

  318.         end
    319. 

  319. 

  320.         self.socket:send("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>" ..
    321. 

  321.         base64.enc(password) ..
    322. 

  322.         "</response>")
    323. 

  323. 

  324.         status, result = self:receive_tag()
    325. 

  325.         if ( not(status) ) then return false, "ERROR: Failed to receive login challenge" end
    326. 

  326.         if ( result.name == "failure" ) then
    327. 

  327.           status = TagProcessor[result.name](self.socket, result)
    328. 

  328.           return false, "Login failed"
    329. 

  329.         end
    330. 

  330.       else
    331. 

  331.         local mech_params = { username, password, chall, "xmpp", "xmpp/" .. self.servername  }
    332. 

  332.         local auth_data = sasl.Helper:new(mech):encode(table.unpack(mech_params))
    333. 

  333.         auth_data = "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>" ..
    334. 

  334.         base64.enc(auth_data) .. "</response>"
    335. 

  335. 

  336.         status, err = self.socket:send(auth_data)
    337. 

  337. 

  338.         -- read to the end tag regardless of what it is
    339. 

  339.         -- it should be one of either: success, challenge or error
    340. 

  340.         repeat
    341. 

  341.           status, result = self:receive_tag()
    342. 

  342.           if ( not(status) ) then return false, "ERROR: Failed to receive login challenge" end
    343. 

  343. 

  344.           if ( result.name == "failure" ) then
    345. 

  345.             status = TagProcessor[result.name](self.socket, result)
    346. 

  346.             return false, "Login failed"
    347. 

  347.           elseif ( result.name == "success" ) then
    348. 

  348.             status = TagProcessor[result.name](self.socket, result)
    349. 

  349.             if ( not(status) ) then return false, "Failed to process success message" end
    350. 

  350.             return true, "Login success"
    351. 

  351.           elseif ( result.name ~= "challenge" ) then
    352. 

  352.             return false, "ERROR: Failed to receive login challenge"
    353. 

  353.           end
    354. 

  354.         until( result.name == "challenge" and result.finish )
    355. 

  355. 

  356.         if ( result.name == "challenge" and mech == "DIGEST-MD5" ) then
    357. 

  357.           status, result = self.socket:send("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>")
    358. 

  358.           if ( not(status) ) then return false, "ERROR: Failed to send DIGEST-MD5 request" end
    359. 

  359.           status, result = self:receive_tag()
    360. 

  360.           if ( not(status) ) then return false, "ERROR: Failed to receive DIGEST-MD5 response" end
    361. 

  361.         end
    362. 

  362.       end
    363. 

  363.     end
    364. 

  364.     if ( result.name == "success" ) then
    365. 

  365.       return true, "Login success"
    366. 

  366.     end
    367. 

  367. 

  368.     return false, "Login failed"
    369. 

  369.   end,
    370. 

  370. 

  371.   --- Retrieves the available authentication mechanisms
    372. 

  372.   -- @name XMPP.getAuthMechs
    373. 

  373.   -- @return table containing all available authentication mechanisms
    374. 

  374.   getAuthMechs = function(self) return self.auth.mechs end,
    375. 

  375. 

  376.   --- Disconnects the socket from the server
    377. 

  377.   -- @name XMPP.disconnect
    378. 

  378.   -- @return status true on success, false on failure
    379. 

  379.   -- @return error message if status is false
    380. 

  380.   disconnect = function(self)
    381. 

  381.     local status, err = self.socket:close()
    382. 

  382.     self.socket = nil
    383. 

  383.     return status, err
    384. 

  384.   end,
    385. 

  385. 

  386. }
    387. 

  387. 

  388. 

  389. Helper = {
    390. 

  390. 

  391.   --- Creates a new Helper instance
    392. 

  392.   -- @name Helper.new
    393. 

  393.   -- @param host table as received by the action function
    394. 

  394.   -- @param port table as received by the action function
    395. 

  395.   -- @param options table containing options, currently supported
    396. 

  396.   -- * <code>timeout</code> - sets the socket timeout
    397. 

  397.   -- * <code>servername</code> - sets the server name to use in
    398. 

  398.   --                            communication with the server.
    399. 

  399.   new = function(self, host, port, options)
    400. 

  400.     local o = { host = host,
    401. 

  401.     port = port,
    402. 

  402.     options = options or {},
    403. 

  403.     xmpp = XMPP:new(host, port, options),
    404. 

  404.     state = "" }
    405. 

  405.     setmetatable(o, self)
    406. 

  406.     self.__index = self
    407. 

  407.     return o
    408. 

  408.   end,
    409. 

  409. 

  410.   --- Connects to the XMPP server and starts the initial communication
    411. 

  411.   -- @name Helper.connect
    412. 

  412.   -- @return status true on success, false on failure
    413. 

  413.   -- @return err string containing an error message is status is false
    414. 

  414.   connect = function(self)
    415. 

  415.     if ( not(self.host.targetname) and
    416. 

  416.       not(self.options.servername) ) then
    417. 

  417.       return false, "ERROR: Cannot connect to XMPP server without valid server name"
    418. 

  418.     end
    419. 

  419.     self.state = "CONNECTED"
    420. 

  420.     return self.xmpp:connect()
    421. 

  421.   end,
    422. 

  422. 

  423.   --- Login to the XMPP server
    424. 

  424.   --
    425. 

  425.   -- @name Helper.login
    426. 

  426.   -- @param username string
    427. 

  427.   -- @param password string
    428. 

  428.   -- @param mech string containing a supported authentication mechanism
    429. 

  429.   -- @see Helper.getAuthMechs
    430. 

  430.   -- @return status true on success, false on failure
    431. 

  431.   -- @return err string containing error message if status is false
    432. 

  432.   login = function(self, username, password, mech)
    433. 

  433.     return self.xmpp:login(username, password, mech)
    434. 

  434.   end,
    435. 

  435. 

  436.   --- Retrieves the available authentication mechanisms
    437. 

  437.   -- @name Helper.getAuthMechs
    438. 

  438.   -- @return table containing all available authentication mechanisms
    439. 

  439.   getAuthMechs = function(self)
    440. 

  440.     if ( self.state == "CONNECTED" ) then
    441. 

  441.       return self.xmpp:getAuthMechs()
    442. 

  442.     end
    443. 

  443.     return
    444. 

  444.   end,
    445. 

  445. 

  446.   --- Closes the connection to the server
    447. 

  447.   -- @name Helper.close
    448. 

  448.   close = function(self)
    449. 

  449.     self.xmpp:disconnect()
    450. 

  450.     self.state = "DISCONNECTED"
    451. 

  451.   end,
    452. 

  452. 

  453. }
    454. 

  454. 

  455. return _ENV;
    456. 

  456.