diff --git a/CHANGELOG b/CHANGELOG index ba728e393..3a50ec2e8 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -190,6 +190,11 @@ o [NSE] Added support for 2008 R2 functional level Active Directory instances o [NSE] Updated smb-brute to add detection for valid credentials where the target account was expired or limited by time or login host constraints. [Tom Sellers] +o [NSE] Updated account status text in brute force password discovery + scripts in an effort to make the reporting more consistent across + all scripts. This will have an impact on any code that parses these + values. [Tom Sellers] + Nmap 5.59BETA1 [2011-06-30] o [NSE] Added 40 scripts, bringing the total to 217! You can learn diff --git a/scripts/afp-brute.nse b/scripts/afp-brute.nse index b236eee4c..f3291f87f 100644 --- a/scripts/afp-brute.nse +++ b/scripts/afp-brute.nse @@ -33,10 +33,11 @@ require 'stdnse' require 'afp' require 'unpwdb' --- Version 0.2 +-- Version 0.3 -- Created 01/15/2010 - v0.1 - created by Patrik Karlsson -- Revised 03/09/2010 - v0.2 - changed so that passwords are iterated over users -- - this change makes better sence as guessing is slow +-- Revised 09/09/2011 - v0.3 - changed account status text to be more consistent with other *-brute scripts portrule = shortport.port_or_service(548, "afp") @@ -85,7 +86,7 @@ action = function( host, port ) nmap.registry.afp[username]=password found_users[username] = true - table.insert( valid_accounts, string.format("%s:%s => Login Correct", username, password:len()>0 and password or "" ) ) + table.insert( valid_accounts, string.format("%s:%s => Valid credentials", username, password:len()>0 and password or "" ) ) break end helper:CloseSession() diff --git a/scripts/drda-brute.nse b/scripts/drda-brute.nse index 0cef0904d..8e21c75b5 100644 --- a/scripts/drda-brute.nse +++ b/scripts/drda-brute.nse @@ -14,7 +14,7 @@ Performs password guessing against databases supporting the IBM DB2 protocol suc -- @output -- 50000/tcp open drda -- | drda-brute: --- |_ db2admin:db2admin => Login Correct +-- |_ db2admin:db2admin => Valid credentials author = "Patrik Karlsson" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" @@ -25,11 +25,12 @@ require "shortport" require "drda" require "unpwdb" --- Version 0.3 +-- Version 0.5 -- Created 05/08/2010 - v0.1 - created by Patrik Karlsson -- Revised 05/09/2010 - v0.2 - re-wrote as multi-threaded -- Revised 05/10/2010 - v0.3 - revised parallellised design -- Revised 08/14/2010 - v0.4 - renamed script and library from db2* to drda* +-- Revised 09/09/2011 - v0.5 - changed account status text to be more consistent with other *-brute scripts portrule = shortport.port_or_service({50000,60000}, {"drda","ibm-db2"}, "tcp", {"open", "open|filtered"}) @@ -78,7 +79,7 @@ doLogin = function( host, port, database, creds, valid_accounts ) nmap.registry.db2users = {} end nmap.registry.db2users[username]=password - table.insert( valid_accounts, string.format("%s:%s => Login Correct", username, password:len()>0 and password or "" ) ) + table.insert( valid_accounts, string.format("%s:%s => Valid credentials", username, password:len()>0 and password or "" ) ) end end end diff --git a/scripts/http-brute.nse b/scripts/http-brute.nse index 93e14c6f8..6bd51d706 100644 --- a/scripts/http-brute.nse +++ b/scripts/http-brute.nse @@ -15,7 +15,7 @@ Performs brute force password auditing against http basic authentication. -- 80/tcp open http syn-ack -- | http-brute: -- | Accounts --- | Patrik Karlsson:secret => Login correct +-- | Patrik Karlsson:secret => Valid credentials -- | Statistics -- |_ Perfomed 60023 guesses in 467 seconds, average tps: 138 -- diff --git a/scripts/imap-brute.nse b/scripts/imap-brute.nse index c147f0335..98426af16 100644 --- a/scripts/imap-brute.nse +++ b/scripts/imap-brute.nse @@ -12,9 +12,9 @@ CRAM-MD5, DIGEST-MD5 or NTLM authentication. -- 143/tcp open imap syn-ack -- | imap-brute: -- | Accounts --- | braddock:jules - Account is valid --- | lane:sniper - Account is valid --- | parker:scorpio - Account is valid +-- | braddock:jules - Valid credentials +-- | lane:sniper - Valid credentials +-- | parker:scorpio - Valid credentials -- | Statistics -- |_ Performed 62 guesses in 10 seconds, average tps: 6 -- diff --git a/scripts/informix-brute.nse b/scripts/informix-brute.nse index 38e939eac..20c4550ab 100644 --- a/scripts/informix-brute.nse +++ b/scripts/informix-brute.nse @@ -11,7 +11,7 @@ Performs brute force password auditing against IBM Informix Dynamic Server. -- 9088/tcp open unknown -- | informix-brute: -- | Accounts --- | ifxnoob:ifxnoob => Login correct +-- | ifxnoob:ifxnoob => Valid credentials -- | Statistics -- |_ Perfomed 25024 guesses in 75 seconds, average tps: 320 -- diff --git a/scripts/iscsi-brute.nse b/scripts/iscsi-brute.nse index 4032c93f9..c8d23f5a0 100644 --- a/scripts/iscsi-brute.nse +++ b/scripts/iscsi-brute.nse @@ -8,7 +8,7 @@ Performs brute force password auditing against iSCSI targets. -- 3260/tcp open iscsi syn-ack -- | iscsi-brute: -- | Accounts --- | user:password123456 => Login correct +-- | user:password123456 => Valid credentials -- | Statistics -- |_ Perfomed 5000 guesses in 7 seconds, average tps: 714 diff --git a/scripts/ldap-brute.nse b/scripts/ldap-brute.nse index c0540e8fe..227d0febb 100644 --- a/scripts/ldap-brute.nse +++ b/scripts/ldap-brute.nse @@ -78,7 +78,7 @@ require 'creds' -- Revised 02/17/2010 - v0.3 - added AD specific checks and fixed bugs related to LDAP base -- Revised 08/07/2011 - v0.4 - adjusted AD match strings to be level independent, added additional account condition checks -- Revised 09/04/2011 - v0.5 - added support for creds library, saving output to file --- Revised 09/09/2011 - v0.6 - added support specifying a UPN suffix via ldap.upnsuffx +-- Revised 09/09/2011 - v0.6 - added support specifying a UPN suffix via ldap.upnsuffx, changed account status text for consistency. portrule = shortport.port_or_service({389,636}, {"ldap","ldapssl"}) @@ -215,48 +215,48 @@ action = function( host, port ) -- Account Locked Out if not status and response:match("AcceptSecurityContext error, data 775,") then - table.insert( valid_accounts, string.format("%s => Account locked out", fq_username ) ) - stdnse.print_verbose(2, string.format(" ldap-brute: %s => Account locked out", fq_username )) + table.insert( valid_accounts, string.format("%s => Valid credentials, account locked", fq_username ) ) + stdnse.print_verbose(2, string.format(" ldap-brute: %s => Valid credentials, account locked", fq_username )) credTable:add(fq_username,password, creds.State.LOCKED) break end -- Login correct, account disabled if not status and response:match("AcceptSecurityContext error, data 533,") then - table.insert( valid_accounts, string.format("%s:%s => Login correct, account disabled", fq_username, password:len()>0 and password or "" ) ) - stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Login correct, account disabled", fq_username, password:len()>0 and password or "" )) + table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account disabled", fq_username, password:len()>0 and password or "" ) ) + stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account disabled", fq_username, password:len()>0 and password or "" )) credTable:add(fq_username,password, creds.State.DISABLED) break end -- Login correct, user must change password if not status and response:match("AcceptSecurityContext error, data 773,") then - table.insert( valid_accounts, string.format("%s:%s => Login correct, user must change password", fq_username, password:len()>0 and password or "" ) ) - stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Login correct, user must change password", fq_username, password:len()>0 and password or "" )) + table.insert( valid_accounts, string.format("%s:%s => Valid credentials, password must be changed at next logon", fq_username, password:len()>0 and password or "" ) ) + stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, password must be changed at next logon", fq_username, password:len()>0 and password or "" )) credTable:add(fq_username,password, creds.State.CHANGEPW) break end -- Login correct, user account expired if not status and response:match("AcceptSecurityContext error, data 701,") then - table.insert( valid_accounts, string.format("%s:%s => Login correct, user account expired", fq_username, password:len()>0 and password or "" ) ) - stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Login correct, user account expired", fq_username, password:len()>0 and password or "" )) + table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account expired", fq_username, password:len()>0 and password or "" ) ) + stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account expired", fq_username, password:len()>0 and password or "" )) credTable:add(fq_username,password, creds.State.EXPIRED) break end -- Login correct, user account logon time restricted if not status and response:match("AcceptSecurityContext error, data 530,") then - table.insert( valid_accounts, string.format("%s:%s => Login correct, user account logon time restricted", fq_username, password:len()>0 and password or "" ) ) - stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Login correct, user account logon time restricted", fq_username, password:len()>0 and password or "" )) + table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account cannot log in at current time", fq_username, password:len()>0 and password or "" ) ) + stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account cannot log in at current time", fq_username, password:len()>0 and password or "" )) credTable:add(fq_username,password, creds.State.TIME_RESTRICTED) break end -- Login correct, user account can only log in from certain workstations if not status and response:match("AcceptSecurityContext error, data 531,") then - table.insert( valid_accounts, string.format("%s:%s => Login correct, user account cannot login from current host", fq_username, password:len()>0 and password or "" ) ) - stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Login correct, user account cannot login from current host", fq_username, password:len()>0 and password or "" )) + table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account cannot log in from current host", fq_username, password:len()>0 and password or "" ) ) + stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials, account cannot log in from current host", fq_username, password:len()>0 and password or "" )) credTable:add(fq_username,password, creds.State.HOST_RESTRICTED) break end @@ -265,8 +265,8 @@ action = function( host, port ) if status then status = is_valid_credential( socket, context ) if status then - table.insert( valid_accounts, string.format("%s:%s => Login correct", fq_username, password:len()>0 and password or "" ) ) - stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Login correct", fq_username, password:len()>0 and password or "" ) ) + table.insert( valid_accounts, string.format("%s:%s => Valid credentials", fq_username, password:len()>0 and password or "" ) ) + stdnse.print_verbose(2, string.format(" ldap-brute: %s:%s => Valid credentials", fq_username, password:len()>0 and password or "" ) ) -- Add credentials for other ldap scripts to use if nmap.registry.ldapaccounts == nil then nmap.registry.ldapaccounts = {} diff --git a/scripts/mysql-brute.nse b/scripts/mysql-brute.nse index be7ddf1e2..07f3d2dfa 100644 --- a/scripts/mysql-brute.nse +++ b/scripts/mysql-brute.nse @@ -6,8 +6,8 @@ Performs password guessing against MySQL -- @output -- 3306/tcp open mysql -- | mysql-brute: --- | root: => Login Correct --- |_ test:test => Login Correct +-- | root: => Valid credentials +-- |_ test:test => Valid credentials author = "Patrik Karlsson" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" @@ -23,6 +23,7 @@ stdnse.silent_require 'openssl' -- Created 01/15/2010 - v0.1 - created by Patrik Karlsson -- Revised 01/23/2010 - v0.2 - revised by Patrik Karlsson, changed username, password loop, added credential storage for other mysql scripts, added timelimit -- Revised 01/23/2010 - v0.3 - revised by Patrik Karlsson, fixed bug showing account passwords detected twice +-- Revised 09/09/2011 - v0.4 - revised by Tom Sellers, changed account status text to be more consistent with other *-brute scripts portrule = shortport.port_or_service(3306, "mysql") @@ -60,7 +61,7 @@ action = function( host, port ) end nmap.registry.mysqlusers[username]=password - table.insert( valid_accounts, string.format("%s:%s => Login Correct", username, password:len()>0 and password or "" ) ) + table.insert( valid_accounts, string.format("%s:%s => Valid credentials", username, password:len()>0 and password or "" ) ) break end diff --git a/scripts/nping-brute.nse b/scripts/nping-brute.nse index 9a63913fd..f4e586794 100644 --- a/scripts/nping-brute.nse +++ b/scripts/nping-brute.nse @@ -13,7 +13,7 @@ documentation. -- 9929/tcp open nping-echo -- | nping-brute: -- | Accounts --- | 123abc => Login correct +-- | 123abc => Valid credentials -- | Statistics -- |_ Perfomed 204 guesses in 204 seconds, average tps: 1 diff --git a/scripts/omp2-brute.nse b/scripts/omp2-brute.nse index de0d2ff9a..d3381feb3 100644 --- a/scripts/omp2-brute.nse +++ b/scripts/omp2-brute.nse @@ -11,7 +11,7 @@ Performs brute force password auditing against the OpenVAS manager using OMPv2. -- 9390/tcp open openvas syn-ack -- | svn-brute: -- | Accounts --- |_ admin:secret => Login correct +-- |_ admin:secret => Valid credentials -- author = "Henri Doreau" diff --git a/scripts/oracle-brute.nse b/scripts/oracle-brute.nse index 88442f404..ad1c4dd92 100644 --- a/scripts/oracle-brute.nse +++ b/scripts/oracle-brute.nse @@ -27,8 +27,8 @@ result in a large number of accounts being locked out on the database server. -- 1521/tcp open oracle syn-ack -- | oracle-brute: -- | Accounts --- | system:powell => Account locked --- | haxxor:haxxor => Login correct +-- | system:powell => Valid credentials, account locked +-- | haxxor:haxxor => Valid credentials -- | Statistics -- |_ Perfomed 157 guesses in 8 seconds, average tps: 19 -- diff --git a/scripts/pgsql-brute.nse b/scripts/pgsql-brute.nse index eefe7ff9f..3a58c1973 100644 --- a/scripts/pgsql-brute.nse +++ b/scripts/pgsql-brute.nse @@ -9,8 +9,8 @@ Performs password guessing against PostgreSQL. -- @output -- 5432/tcp open pgsql -- | pgsql-brute: --- | root: => Login Correct --- |_ test:test => Login Correct +-- | root: => Valid credentials +-- |_ test:test => Valid credentials -- -- @args pgsql.nossl If set to 1 or true, disables SSL. -- @args pgsql.version Force protocol version 2 or 3. @@ -31,11 +31,12 @@ require 'stdnse' require 'unpwdb' stdnse.silent_require 'openssl' --- Version 0.3 +-- Version 0.4 -- Created 01/15/2010 - v0.1 - created by Patrik Karlsson -- Revised 02/20/2010 - v0.2 - moved version detection to pgsql library -- Revised 03/04/2010 - v0.3 - added code from ssh-hostkey.nse to check for SSL support -- - added support for trusted authentication method +-- Revised 09/10/2011 - v0.4 - changed account status text to be more consistent with other *-brute scripts portrule = shortport.port_or_service(5432, "postgresql") @@ -139,7 +140,7 @@ action = function( host, port ) end nmap.registry.pgsqlusers[username]=password if ( response.authtype ~= pgsql.AuthenticationType.Success ) then - table.insert( valid_accounts, string.format("%s:%s => Login Correct", username, password:len()>0 and password or "" ) ) + table.insert( valid_accounts, string.format("%s:%s => Valid credentials", username, password:len()>0 and password or "" ) ) else table.insert( valid_accounts, string.format("%s => Trusted authentication", username ) ) end diff --git a/scripts/sip-brute.nse b/scripts/sip-brute.nse index d41070720..504ef823e 100755 --- a/scripts/sip-brute.nse +++ b/scripts/sip-brute.nse @@ -10,7 +10,7 @@ Performs brute force password auditing against Session Initiation Protocol (SIP -- 5060/udp open|filtered sip -- | sip-brute: -- | Accounts --- | 1000:password123 => Login correct +-- | 1000:password123 => Valid credentials -- | Statistics -- |_ Performed 5010 guesses in 3 seconds, average tps: 1670 diff --git a/scripts/smb-brute.nse b/scripts/smb-brute.nse index 0370aab64..dd67c02d5 100644 --- a/scripts/smb-brute.nse +++ b/scripts/smb-brute.nse @@ -67,16 +67,16 @@ determined with a fairly efficient bruteforce. For example, if the actual passwo --@output -- Host script results: -- | smb-brute: --- | | bad name:test => Login was successful --- | | consoletest:test => Password was correct, but user can't log in without changing it --- | | guest: => Password was correct, but user's account is disabled --- | | mixcase:BuTTeRfLY1 => Login was successful --- | | test:password1 => Login was successful --- | | this:password => Login was successful --- | | thisisaverylong:password => Login was successful --- | | thisisaverylongname:password => Login was successful --- | | thisisaverylongnamev:password => Login was successful --- |_ |_ web:TeSt => Password was correct, but user's account is disabled +-- | | bad name:test => Valid credentials +-- | | consoletest:test => Valid credentials, password must be changed at next logon +-- | | guest: => Valid credentials, account disabled +-- | | mixcase:BuTTeRfLY1 => Valid credentials +-- | | test:password1 => Valid credentials, account expired +-- | | this:password => Valid credentials, account cannot log in at current time +-- | | thisisaverylong:password => Valid credentials +-- | | thisisaverylongname:password => Valid credentials +-- | | thisisaverylongnamev:password => Valid credentials +-- |_ |_ web:TeSt => Valid credentials, account disabled -- -- @args smblockout This argument will force the script to continue if it -- locks out an account or thinks it will lock out an account. @@ -145,17 +145,17 @@ result_short_strings[results.INVALID_WORKSTATION] = "INVALID_WORKSTATION" ---The strings that the user will see local result_strings = {} -result_strings[results.SUCCESS] = "Login was successful" -result_strings[results.GUEST_ACCESS] = "Login was successful, but was granted guest access" -result_strings[results.NOT_GRANTED] = "Password was correct, but user wasn't allowed to log in (often happens with blank passwords)" -result_strings[results.DISABLED] = "Password was correct, but user's account is disabled" -result_strings[results.EXPIRED] = "Password was correct, but user's account is expired" -result_strings[results.CHANGE_PASSWORD] = "Password was correct, but user can't log in without changing it" -result_strings[results.ACCOUNT_LOCKED] = "User's account is locked out (hopefully not by us!)" -result_strings[results.ACCOUNT_LOCKED_NOW] = "User's account just became locked out (oops!)" -result_strings[results.FAIL] = "User's password was incorrect" -result_strings[results.INVALID_LOGON_HOURS] = "Password was correct, but the user's logon hours are restricted" -result_strings[results.INVALID_WORKSTATION] = "Password was correct, but the user account is restricted to certain workstations" +result_strings[results.SUCCESS] = "Valid credentials" +result_strings[results.GUEST_ACCESS] = "Valid credentials, account granted guest access only" +result_strings[results.NOT_GRANTED] = "Valid credentials, but account wasn't allowed to log in (often happens with blank passwords)" +result_strings[results.DISABLED] = "Valid credentials, account disabled" +result_strings[results.EXPIRED] = "Valid credentials, account expired" +result_strings[results.CHANGE_PASSWORD] = "Valid credentials, password must be changed at next logon" +result_strings[results.ACCOUNT_LOCKED] = "Valid credentials, account locked (hopefully not by us!)" +result_strings[results.ACCOUNT_LOCKED_NOW] = "Valid credentials, account just became locked (oops!)" +result_strings[results.FAIL] = "Invalid credentials" +result_strings[results.INVALID_LOGON_HOURS] = "Valid credentials, account cannot log in at current time" +result_strings[results.INVALID_WORKSTATION] = "Valid credentials, account cannot log in from current host" ---Constants for special passwords. These each contain a null character, which is illegal in -- actual passwords. diff --git a/scripts/smtp-brute.nse b/scripts/smtp-brute.nse index cf294239b..2bfcbe9e4 100644 --- a/scripts/smtp-brute.nse +++ b/scripts/smtp-brute.nse @@ -12,9 +12,9 @@ CRAM-MD5, DIGEST-MD5 or NTLM authentication. -- 25/tcp open stmp syn-ack -- | smtp-brute: -- | Accounts --- | braddock:jules - Account is valid --- | lane:sniper - Account is valid --- | parker:scorpio - Account is valid +-- | braddock:jules - Valid credentials +-- | lane:sniper - Valid credentials +-- | parker:scorpio - Valid credentials -- | Statistics -- |_ Performed 1160 guesses in 41 seconds, average tps: 33 -- diff --git a/scripts/snmp-brute.nse b/scripts/snmp-brute.nse index a61a6d56d..4a19b16d5 100644 --- a/scripts/snmp-brute.nse +++ b/scripts/snmp-brute.nse @@ -32,8 +32,8 @@ No output is reported if no valid account is found. -- PORT STATE SERVICE -- 161/udp open snmp -- | snmp-brute: --- | dragon - Account is valid --- |_ jordan - Account is valid +-- | dragon - Valid credentials +-- |_ jordan - Valid credentials author = "Philip Pickering, Gorjan Petrovski, Patrik Karlsson" diff --git a/scripts/vnc-brute.nse b/scripts/vnc-brute.nse index 4b2cbb44f..df06eacef 100644 --- a/scripts/vnc-brute.nse +++ b/scripts/vnc-brute.nse @@ -11,7 +11,7 @@ Performs brute force password auditing against VNC servers. -- 5900/tcp open vnc syn-ack -- | vnc-brute: -- | Accounts --- |_ 123456 => Login correct +-- |_ 123456 => Valid credentials -- -- Summary -- ------- diff --git a/scripts/xmpp-brute.nse b/scripts/xmpp-brute.nse index 8704127bd..04c805766 100644 --- a/scripts/xmpp-brute.nse +++ b/scripts/xmpp-brute.nse @@ -11,9 +11,9 @@ Performs brute force password auditing against XMPP (jabber) servers. -- 5222/tcp open xmpp-client -- | xmpp-brute: -- | Accounts --- | CampbellJ:arthur321 - Account is valid --- | CampbellA:joan123 - Account is valid --- | WalkerA:auggie123 - Account is valid +-- | CampbellJ:arthur321 - Valid credentials +-- | CampbellA:joan123 - Valid credentials +-- | WalkerA:auggie123 - Valid credentials -- | Statistics -- |_ Performed 6237 guesses in 5 seconds, average tps: 1247 --