o [NSE] Added a new iSCSI library and the two scripts iscsi-info and

iscsi-brute. [Patrik]

scripts/iscsi-brute.nse

@@ -0,0 +1,84 @@
+description = [[
+Performs password guessing against iSCSI targets
+]]
+
+---
+-- @output
+-- PORT     STATE SERVICE
+-- 3260/tcp open  iscsi   syn-ack
+-- | iscsi-brute: 
+-- |   Accounts
+-- |     user:password123456 => Login correct
+-- |   Statistics
+-- |_    Perfomed 5000 guesses in 7 seconds, average tps: 714
+
+-- Version 0.1
+-- Created 2010/11/18 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+-- Revised 2010/11/27 - v0.2 - detect if no password is needed <patrik@cqure.net>
+
+require 'shortport'
+require 'brute'
+require 'iscsi'
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "auth"}
+
+portrule = shortport.portnumber(3260, "tcp", {"open", "open|filtered"})
+
+Driver = {
+	
+	new = function(self, host, port)
+		local o = {}
+       	setmetatable(o, self)
+        self.__index = self
+		o.host = host
+		o.port = port
+		o.target = stdnse.get_script_args('iscsi-brute.target')
+		return o
+	end,
+	
+	connect = function( self )
+		self.helper = iscsi.Helper:new( self.host, self.port )
+		return self.helper:connect()
+	end,
+	
+	login = function( self, username, password )
+		local status = self.helper:login( self.target, username, password, "CHAP")
+		
+		if ( status ) then
+			return true, brute.Account:new(username, password, "OPEN")
+		end
+		
+		return false, brute.Error:new( "Incorrect password" )
+	end,
+	
+	disconnect = function( self )
+		self.helper:close()
+	end,
+}
+
+
+action = function( host, port )
+
+	local target = stdnse.get_script_args('iscsi-brute.target')
+	if ( not(target) ) then
+		return "ERROR: No target specified (see iscsi-brute.target)"
+	end
+	
+	local helper = iscsi.Helper:new( host, port )
+	local status, err = helper:connect()
+	if ( not(status) ) then return false, "Failed to connect" end
+
+	local response
+	status, response = helper:login( target )
+	helper:logout()
+	helper:close()
+
+	if ( status ) then return "No authentication required" end
+
+	local accounts
+	status, accounts = brute.Engine:new(Driver, host, port):start()
+
+	if ( status ) then return accounts end
+end

scripts/iscsi-info.nse

@@ -0,0 +1,93 @@
+description = [[
+Retrieves information from the remote iSCSI target.
+]]
+
+---
+-- @output
+-- PORT     STATE SERVICE
+-- 3260/tcp open  iscsi
+-- | iscsi-info: 
+-- |   iqn.2006-01.com.openfiler:tsn.c8c08cad469d
+-- |     Target address: 192.168.56.5:3260,1
+-- |     Authentication: NOT required
+-- |   iqn.2006-01.com.openfiler:tsn.6aea7e052952
+-- |     Target address: 192.168.56.5:3260,1
+-- |_    Authentication: required
+-- 
+
+-- Version 0.2
+-- Created 2010/11/18 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+-- Revised 2010/11/28 - v0.2 - improved error handling <patrik@cqure.net>
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discovery"}
+
+require("shortport")
+require("iscsi")
+
+portrule = shortport.portnumber(3260, "tcp", {"open", "open|filtered"})
+
+-- Attempts to determine whether authentication is required or not
+--
+-- @return status true on success false on failure
+-- @return result true if auth is required false if not
+--         err string containing error message
+local function requiresAuth( host, port, target )
+	local helper = iscsi.Helper:new( host, port )
+	local errors = iscsi.Packet.LoginResponse.Errors
+	
+	local status, err = helper:connect()
+	if ( not(status) ) then return false, "Failed to connect" end
+
+	local response
+	status, response = helper:login( target )
+	if ( not(status) ) then return false, response:getErrorMessage() end
+
+	if ( status and response:getErrorCode() == errors.SUCCESS) then
+		-- try to logout
+		status = helper:logout()
+	end
+	
+	status = helper:close()
+
+	return true, "Authentication successful"
+end
+
+action = function( host, port )
+
+	local helper = iscsi.Helper:new( host, port )
+	
+	local status = helper:connect()
+	if ( not(status) ) then
+		stdnse.print_debug("%s: failed to connect to server", SCRIPT_NAME )
+		return
+	end
+
+	local records
+	status, records = helper:discoverTargets()
+	if ( not(status) ) then
+		stdnse.print_debug("%s: failed to discover targets", SCRIPT_NAME )
+		return
+	end
+	status = helper:logout()
+	status = helper:close()
+	
+	local result = {}
+	for _, record in ipairs(records) do
+		local result_part = {}
+		result_part.name = ("Target: %s"):format(record.name)
+		for _, addr in ipairs( record.addr ) do
+			table.insert(result_part, ("Address: %s"):format(addr) )
+		end
+		
+		local status, err = requiresAuth( host, port, record.name )
+		if ( not(status) ) then
+			table.insert(result_part, "Authentication: " .. err )
+		else
+			table.insert(result_part, "Authentication: No authentication required")
+		end
+		table.insert(result, result_part)
+	end	
+	return stdnse.format_output( true, result )
+end

scripts/script.db

@@ -72,6 +72,8 @@ Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", }
 Entry { filename = "ipidseq.nse", categories = { "discovery", "safe", } }
 Entry { filename = "irc-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "irc-unrealircd-backdoor.nse", categories = { "safe", "vuln", } }
+Entry { filename = "iscsi-brute.nse", categories = { "auth", "intrusive", } }
+Entry { filename = "iscsi-info.nse", categories = { "discovery", } }
 Entry { filename = "jdwp-version.nse", categories = { "version", } }
 Entry { filename = "ldap-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "ldap-rootdse.nse", categories = { "discovery", "safe", } }