From 0b542cb75517a7c8dc5987401056dafad4a0fbf5 Mon Sep 17 00:00:00 2001
From: pgpickering <pgpickering@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 31 Jul 2008 22:55:28 +0000
Subject: [PATCH] added brutePOP3.nse

---
 scripts/brutePOP3.nse | 91 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100644 scripts/brutePOP3.nse

diff --git a/scripts/brutePOP3.nse b/scripts/brutePOP3.nse
new file mode 100644
index 000000000..f0c6785f2
--- /dev/null
+++ b/scripts/brutePOP3.nse
@@ -0,0 +1,91 @@
+id = "POP3 brute force"
+
+description = "tries to log into a POP3 account"
+
+author = "Philip Pickering <pgpickering@gmail.com>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+
+categories = {"intrusive", "auth"}
+
+require 'pop3'
+require 'shortport'
+require 'unpwdb'
+
+portrule = shortport.port_or_service({110}, "pop3")
+
+action = function(host, port)
+   local pMeth = nmap.registry.args.pop3loginmethod
+   if (not pMeth) then pMeth = nmap.registry.pop3loginmethod end
+   if (not pMeth) then pMeth = method end
+   if (not pMeth) then pMeth = "USER" end
+
+   local login
+   local additional
+
+   local stat = pop3.stat
+
+   if (pMeth == "USER") then 
+      login = pop3.login_user
+   elseif (pMeth == "SASL-PLAIN") then 
+      login = pop3.login_sasl_plain
+   elseif (pMeth == "SASL-LOGIN") then 
+      login = login_sasl_login
+   elseif (pMeth == "SASL-CRAM-MD5") then
+      login = login_sasl_crammd5
+   elseif (pMeth == "APOP") then 
+      login = login_apop     
+   end
+
+
+   local status
+   local line
+   local socket = nmap.new_socket()
+
+   if not socket:connect(host.ip, port.number) then return end -- no connection
+   
+   status, line = socket:receive_lines(1)
+   if not stat(line) then return end -- no pop-connection
+
+   local apopChallenge = string.match(line, "<[%p%w]+>") 
+   
+   if pMeth == "APOP" then 
+      additional = apopChallenge 
+   end
+   
+   local getUser
+
+   status, getUser = unpwdb.usernames()
+   if (not status) then return end
+
+   local currUser = getUser()
+   while currUser do
+      local getPW
+      status, getPW = unpwdb.passwords()
+      if (not status) then return end
+
+      local currPw = getPW()
+
+      while currPw do
+	 local pstatus
+	 local perror
+
+	 pstatus, perror = login(socket, currUser, currPw, additional)
+	 
+	 print("x: ", pstatus, perror)
+
+	 if (pstatus) then 
+	    return currUser .. " : " .. currPw
+	 elseif (perror == pop3.err.pwError) then
+	    currPw = getPW()
+	 elseif (perror == pop3.err.userError) then
+	    currPw = nil
+	 else
+	    return
+	 end
+      end
+      currUser = getUser()
+      getPW("reset")
+   end
+   return -- "wrong pw" 
+
+end