o [NSE] Added the script openvas-otp-brute that performs password auditing

against the OpenVas service. [Vlatko Kosturjak]

CHANGELOG

@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added the script openvas-otp-brute that performs password auditing
+  against the OpenVas service. [Vlatko Kosturjak]
+
 o [NSE] Fixed bug that would prevent brute scripts from running if no service
   field was present in the port table. [Patrik]
 

scripts/openvas-otp-brute.nse

@@ -0,0 +1,107 @@
+description=[[
+Performs brute force password auditing against a OpenVAS vulnerability scanner daemon using the OTP 1.0 protocol.
+]]
+
+---
+-- @output
+-- PORT     STATE SERVICE    REASON  VERSION
+-- 9391/tcp open  ssl/openvas syn-ack 
+-- | openvas-otp-brute: 
+-- |   Accounts
+-- |     openvas:openvas - Valid credentials
+-- |   Statistics
+-- |_    Performed 4 guesses in 4 seconds, average tps: 1
+--
+-- @args openvas-otp-brute.threads sets the number of threads. Default: 4
+
+author = "Vlatko Kosturjak"
+
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+
+categories = {"intrusive", "brute"}
+
+require "shortport"
+require "brute"
+require "comm"
+require "stdnse"
+stdnse.silent_require('openssl')
+
+portrule = shortport.port_or_service({9390,9391}, "openvas", "tcp")
+
+Driver = 
+{
+	new = function (self, host, port)
+		local o = { host = host, port = port }
+		setmetatable (o,self)
+		self.__index = self
+		return o
+	end,
+
+	connect = function ( self )
+		self.socket = nmap.new_socket() 
+		if ( not(self.socket:connect(self.host, self.port, "ssl")) ) then
+			return false
+		end
+		return true	
+	end,
+
+	login = function( self, username, password )
+		local status, err = self.socket:send("< OTP/1.0 >\n")
+
+		if ( not ( status ) ) then
+			local err = brute.Error:new( "Unable to send handshake" )
+			err:setAbort(true)
+			return false, err
+		end
+
+		local response 
+		status, response = self.socket:receive_buf("\r?\n", false)
+		if ( not(status) or response ~= "< OTP/1.0 >" ) then
+			local err = brute.Error:new( "Bad handshake from server: "..response )
+			err:setAbort(true)
+			return false, err
+		end
+
+		status, err = self.socket:send(username.."\n")
+		if ( not(status) ) then
+			local err = brute.Error:new( "Couldn't send user: "..username )
+			err:setAbort( true )
+			return false, err
+		end
+
+		status, err = self.socket:send(password.."\n")
+		if ( not(status) ) then
+			local err = brute.Error:new( "Couldn't send password: "..password )
+			err:setAbort( true )
+			return false, err
+		end
+
+		-- Create a buffer and receive the first line
+		status, line = self.socket:receive_buf("\r?\n", false)
+
+		if (line == nil or string.match(line,"Bad login")) then
+			stdnse.print_debug(2, "openvas-otp-brute: Bad login: %s/%s", username, password)
+			return false, brute.Error:new( "Bad login" )
+		elseif (string.match(line,"SERVER <|>")) then
+				
+			stdnse.print_debug(1, "openvas-otp-brute: Good login: %s/%s", username, password)
+			return true, brute.Account:new(username, password, creds.State.VALID)
+		end
+
+		stdnse.print_debug(1, "openvas-otp-brute: WARNING: Unhandled response: %s", line)
+		return false, brute.Error:new( "unhandled response" )
+	end,
+
+	disconnect = function( self )
+		self.socket:close()
+	end,
+}
+
+action = function(host, port)
+	local engine = brute.Engine:new(Driver, host, port)
+	engine:setMaxThreads(1)
+	engine.options.script_name = SCRIPT_NAME
+	status, result = engine:start()
+	return result
+end
+

scripts/script.db

@@ -185,6 +185,7 @@ Entry { filename = "ntp-monlist.nse", categories = { "discovery", "intrusive", }
 Entry { filename = "omp2-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "omp2-enum-targets.nse", categories = { "discovery", "safe", } }
 Entry { filename = "openlookup-info.nse", categories = { "default", "discovery", "safe", "version", } }
+Entry { filename = "openvas-otp-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "oracle-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "oracle-enum-users.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "oracle-sid-brute.nse", categories = { "brute", "intrusive", } }