From 1ab0544ab86c4fed7d1f7f107ba614c8e4d2e030 Mon Sep 17 00:00:00 2001 From: patrik Date: Wed, 26 Oct 2011 21:45:33 +0000 Subject: [PATCH] o [NSE] Added the script nessus-brute that performs password guessing against Nessus using the NTP 1.2 protocol. [Patrik] --- CHANGELOG | 3 + scripts/nessus-brute.nse | 151 +++++++++++++++++++++++++++++++++++++++ scripts/script.db | 1 + 3 files changed, 155 insertions(+) create mode 100644 scripts/nessus-brute.nse diff --git a/CHANGELOG b/CHANGELOG index 439704386..95c6c036b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added the script nessus-brute that performs password guessing against + Nessus using the NTP 1.2 protocol. [Patrik] + o [NSE] Added the scripts rtsp-url-brute, rtsp-methods and the supporting rtsp library. The scripts check the supported RTSP methods and attempt to brute force valid RTSP urls. [Patrik] diff --git a/scripts/nessus-brute.nse b/scripts/nessus-brute.nse new file mode 100644 index 000000000..898d39eac --- /dev/null +++ b/scripts/nessus-brute.nse @@ -0,0 +1,151 @@ +description=[[ +Performs password guessing against the Nessus service using the NTP 1.2 protocol. +]] + +--- +-- @usage +-- nmap --script nessus-brute -p 1241 +-- +-- @output +-- PORT STATE SERVICE +-- 1241/tcp open nessus +-- | nessus-brute: +-- | Accounts +-- | nessus:nessus - Valid credentials +-- | Statistics +-- |_ Performed 35 guesses in 75 seconds, average tps: 0 +-- +-- This script does not appear to perform well when run using multiple threads +-- Although, it's very slow running under a single thread it does work as intended +-- + +-- +-- Version 0.1 +-- Created 22/10/2011 - v0.1 - created by Patrik Karlsson +-- + +author = "Patrik Karlsson" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"intrusive", "brute"} + +require 'shortport' +require 'brute' +require 'comm' + +portrule = shortport.port_or_service(1241, "nessus", "tcp") + +Driver = +{ + + new = function(self, host, port) + local o = { host = host, port = port } + setmetatable(o, self) + self.__index = self + return o + end, + + connect = function( self ) + self.socket = nmap.new_socket() + if ( not(self.socket:connect(self.host, self.port, "ssl")) ) then + return false + end + return true + end, + + login = function( self, username, password ) + local handshake = "< NTP/1.2 >< plugins_cve_id plugins_version timestamps dependencies fast_login >\n" + + local status, err = self.socket:send(handshake) + if ( not(status) ) then + local err = brute.Error:new( "Failed to send handshake to server" ) + err:setAbort(true) + return false, err + end + + local line + status, line = self.socket:receive_buf("\r?\n", false) + if ( not(status) or line ~= "< NTP/1.2 >" ) then + local err = brute.Error:new( "The server failed to respond to handshake" ) + err:setAbort( true ) + return false, err + end + + status, line = self.socket:receive() + if ( not(status) or line ~= "User : ") then + local err = brute.Error:new( "Expected \"User : \", got something else" ) + err:setRetry( true ) + return false, err + end + + status = self.socket:send(username .. "\n") + if ( not(status) ) then + local err = brute.Error:new( "Failed to send username to server" ) + err:setAbort( true ) + return false, err + end + + status, line = self.socket:receive() + if ( not(status) or line ~= "Password : ") then + local err = brute.Error:new( "Expected \"Password : \", got something else" ) + err:setRetry( true ) + return false, err + end + + status = self.socket:send(password) + if ( not(status) ) then + local err = brute.Error:new( "Failed to send password to server" ) + err:setAbort( true ) + return false, err + end + + -- the line feed has to be sent separate like this, otherwise we don't + -- receive the server response and the server simply hangs up + status = self.socket:send("\n") + if ( not(status) ) then + local err = brute.Error:new( "Failed to send password to server" ) + err:setAbort( true ) + return false, err + end + + -- we force a brief incorrect statement just to get an error message to + -- confirm that we've succesfully authenticated to the server + local bad_cli_pref = "CLIENT <|> PREFERENCES <|>\n<|> CLIENT\n" + status = self.socket:send(bad_cli_pref) + if ( not(status) ) then + local err = brute.Error:new( "Failed to send bad client preferences packet to server" ) + err:setAbort( true ) + return false, err + end + + -- if the server disconnects us at this point, it's most likely due to + -- that the authentication failed, so simply treat it as an incorrect + -- password, rather than abort. + status, line = self.socket:receive() + if ( not(status) ) then + return false, brute.Error:new( "Incorrect password" ) + end + + if ( line:match("SERVER <|> PREFERENCES_ERRORS <|>") ) then + return true, brute.Account:new(username, password, creds.State.VALID) + end + + return false, brute.Error:new( "Incorrect password" ) + end, + + disconnect = function( self ) + self.socket:close() + end, + +} + +action = function(host, port) + + local engine = brute.Engine:new(Driver, host, port) + engine.options.script_name = SCRIPT_NAME + + -- the nessus service doesn't appear to do very well with multiple threads + engine:setMaxThreads(1) + status, result = engine:start() + + return result +end \ No newline at end of file diff --git a/scripts/script.db b/scripts/script.db index 66c375cfe..2cd73377f 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -155,6 +155,7 @@ Entry { filename = "nat-pmp-info.nse", categories = { "default", "discovery", "s Entry { filename = "nbstat.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "ncp-enum-users.nse", categories = { "auth", "safe", } } Entry { filename = "ncp-serverinfo.nse", categories = { "default", "discovery", "safe", } } +Entry { filename = "nessus-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "netbus-auth-bypass.nse", categories = { "auth", "safe", "vuln", } } Entry { filename = "netbus-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "netbus-info.nse", categories = { "default", "discovery", "safe", } }