VladzNMAP:X11-ACCESS.NSEx11-access NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Checks if you’re allowed to connect to the X server.
If the X server is listening on TCP port 6000+n (where n is the display number), it is possible to check if you’re able to get connected to the remote display by sending a X11 initial connection request.
In reply, the success byte (0x00 or 0x01) will determine if you are in the xhost + list. In this case, script will display the message: X server access is granted.
Example Usage
nmap -sV -sC <target>
Script Output
Host script results:
|_ x11-access: X server access is granted
Requires
local nmap = require "nmap"
local string = require "string"
-- NSE x11-access v1.3
description = [[
Checks if you're allowed to connect to the X server.
If the X server is listening on TCP port 6000+n (where n is the display
number), it is possible to check if you're able to get connected to the
remote display by sending a X11 initial connection request.
In reply, the success byte (0x00 or 0x01) will determine if you are in
the <code>xhost +</code> list. In this case, script will display the message:
<code>X server access is granted</code>.
]]
---
-- @output
-- Host script results:
-- |_ x11-access: X server access is granted
--
-- @xmloutput
-- true
author = "vladz"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "safe", "auth"}
portrule = function(host, port)
return ((port.number >= 6000 and port.number <= 6009)
or (port.service and string.match(port.service, "^X11")))
-- If port.version.product is not equal to nil, version
-- detection "-sV" has already done this X server test.
and port.version.product == nil
end
action = function(host, port)
local result, socket, try, catch
socket = nmap.new_socket()
catch = function()
socket:close()
end
try = nmap.new_try(catch)
try(socket:connect(host, port))
-- Sending the network dump of a x11 connection request (captured
-- from the XOpenDisplay() function):
--
-- 0x6c 0x00 0x0b 0x00 0x00 0x00 0x00
-- 0x00 0x00 0x00 0x00 0x00 0x00
try(socket:send("\108\000\011\000\000\000\000\000\000\000\000\000"))
-- According to the XOpenDisplay() sources, server answer is
-- stored in a xConnSetupPrefix structure [1]. The function
-- returns NULL if it does not succeed, and more precisely: When
-- the success field of this structure (stored on 1 byte) is not
-- equal to xTrue [2]. For more information, see the Xlib
-- programming Manual [3].
--
-- [1] xConnSetupPrefix structure is defined in X11/Xproto.h.
-- [2] xTrue = 0x01 according to X11/Xproto.h.
-- [3] http://www.sbin.org/doc/Xlib
result = try(socket:receive_bytes(1))
socket:close()
-- Check if first byte received is 0x01 (xTrue: succeed).
if string.match(result, "^\001") then
return true, "X server access is granted"
end
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%