eppc-enum-processes NSE Script

2012-05-29T18:25:49
ID NMAP:EPPC-ENUM-PROCESSES.NSE
Type nmap
Reporter Patrik Karlsson
Modified 2018-09-01T18:50:19

Description

Attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication.

Example Usage

nmap -p 3031 <ip> --script eppc-enum-processes

Script Output

PORT     STATE SERVICE
3031/tcp open  eppc
| eppc-enum-processes:
| application       uid  pid
| Address Book      501  269
| Facetime          501  495
| Finder            501  274
| iPhoto            501  267
| Photo booth       501  471
| Remote Buddy      501  268
| Safari            501  270
| Terminal          501  266
| Transmission      501  265
|_VLC media player  501  367

Requires

  • nmap
  • shortport
  • stdnse
  • string
  • tab

                                        
                                            local nmap      = require('nmap')
local shortport = require('shortport')
local stdnse    = require('stdnse')
local string    = require('string')
local tab       = require('tab')

description = [[
Attempts to enumerate process info over the Apple Remote Event protocol.
When accessing an application over the Apple Remote Event protocol the
service responds with the uid and pid of the application, if it is running,
prior to requesting authentication.
]]

---
-- @usage
-- nmap -p 3031 <ip> --script eppc-enum-processes
--
-- @output
-- PORT     STATE SERVICE
-- 3031/tcp open  eppc
-- | eppc-enum-processes:
-- | application       uid  pid
-- | Address Book      501  269
-- | Facetime          501  495
-- | Finder            501  274
-- | iPhoto            501  267
-- | Photo booth       501  471
-- | Remote Buddy      501  268
-- | Safari            501  270
-- | Terminal          501  266
-- | Transmission      501  265
-- |_VLC media player  501  367
--

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}

portrule = shortport.port_or_service(3031, "eppc", "tcp", "open")

action = function( host, port )

  local socket = nmap.new_socket()
  socket:set_timeout(5000)

  local try = nmap.new_try(
    function()
      stdnse.debug1("failed")
      socket:close()
    end
  )

  -- a list of application that may or may not be running on the target
  local apps = {
    "Address Book",
    "App Store",
    "Facetime",
    "Finder",
    "Firefox",
    "Google Chrome",
    "iChat",
    "iPhoto",
    "Keychain Access",
    "iTunes",
    "Photo booth",
    "QuickTime Player",
    "Remote Buddy",
    "Safari",
    "Spotify",
    "Terminal",
    "TextMate",
    "Transmission",
    "VLC",
    "VLC media player",
  }

  local results = tab.new(3)
  tab.addrow( results, "application", "uid", "pid" )

  for _, app in ipairs(apps) do
    try( socket:connect(host, port, "tcp") )
    local data

    local packets = {
      "PPCT\0\0\0\1\0\0\0\1",
      -- unfortunately I've found no packet specifications, so this has to do
      stdnse.fromhex("e44c50525401e101")
      .. string.pack("Bs1", 225 + #app, app)
      .. stdnse.fromhex("dfdbe302013ddfdfdfdfd500"),
    }

    for _, v in ipairs(packets) do
      try( socket:send(v) )
      data = try( socket:receive() )
    end

    local uid, pid = data:match("uid=(%d+)&pid=(%d+)")
    if ( uid and pid ) then tab.addrow( results, app, uid, pid ) end

    try( socket:close() )
  end

  return "\n" .. tab.dump(results)

end