FIX: Added require 'creds' where it was missing; Mostly where creds.State.<some_state> was used.

2025-12-29 10:59:02 +00:00 · 2011-07-07 16:22:57 +00:00
parent 880f927fc0
commit 4ca48ea450
13 changed files with 109 additions and 86 deletions
--- a/scripts/domcon-brute.nse
+++ b/scripts/domcon-brute.nse
@@ -29,6 +29,7 @@ categories = {"intrusive", "auth"}

 require 'shortport'
 require 'brute'
+require 'creds'

 portrule = shortport.port_or_service(2050, "", "tcp", "open")

@@ -160,4 +161,4 @@ action = function(host, port)
 	pool:shutdown()
 	
 	return result
-end
+end
--- a/scripts/dpap-brute.nse
+++ b/scripts/dpap-brute.nse
@@ -27,6 +27,7 @@ categories = {"intrusive", "auth"}
 require("base64")
 require("shortport")
 require("brute")
+require("creds")

 portrule = shortport.port_or_service(8770, "apple-iphoto")

--- a/scripts/http-brute.nse
+++ b/scripts/http-brute.nse
@@ -40,6 +40,7 @@ categories = {"intrusive", "auth"}
 require 'shortport'
 require 'http'
 require 'brute'
+require 'creds'

 portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")

--- a/scripts/http-form-brute.nse
+++ b/scripts/http-form-brute.nse
@@ -73,6 +73,7 @@ require 'shortport'
 require 'http'
 require 'brute'
 require 'url'
+require 'creds'

 portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")

@@ -243,4 +244,4 @@ action = function( host, port )
 	local status, result = engine:start()
 		
 	return result
-end
+end
--- a/scripts/informix-brute.nse
+++ b/scripts/informix-brute.nse
@@ -33,6 +33,7 @@ categories = {"intrusive", "auth"}
 require 'shortport'
 require 'brute'
 require 'informix'
+require 'creds'

 portrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, "informix", "tcp", "open") 

@@ -104,4 +105,4 @@ action = function(host, port)
 	status, result = engine:start()

 	return result
-end
+end
--- a/scripts/iscsi-brute.nse
+++ b/scripts/iscsi-brute.nse
@@ -19,6 +19,7 @@ Performs brute force password auditing against iSCSI targets.
 require 'shortport'
 require 'brute'
 require 'iscsi'
+require 'creds'

 author = "Patrik Karlsson"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
@@ -84,4 +85,4 @@ action = function( host, port )
 	status, accounts = engine:start()

 	if ( status ) then return accounts end
-end
+end
--- a/scripts/nping-brute.nse
+++ b/scripts/nping-brute.nse
@@ -27,6 +27,7 @@ require("brute")
 require("stdnse")
 stdnse.silent_require "openssl"
 require("shortport")
+require("creds")

 portrule = shortport.port_or_service(9929, "nping-echo")

--- a/scripts/omp2-brute.nse
+++ b/scripts/omp2-brute.nse
@@ -22,7 +22,7 @@ require("omp2")
 require("nmap")
 require("brute")
 require("shortport")
-
+require("creds")

 portrule = shortport.port_or_service(9390, "openvas")

--- a/scripts/oracle-brute.nse
+++ b/scripts/oracle-brute.nse
@@ -40,6 +40,7 @@ require 'brute'
 require 'stdnse'
 stdnse.silent_require 'openssl'
 require 'tns'
+require 'creds'

 portrule = shortport.port_or_service(1521, "oracle-tns", "tcp", "open")

--- a/scripts/sip-brute.nse
+++ b/scripts/sip-brute.nse
@@ -24,6 +24,7 @@ categories = {"intrusive", "auth"}
 require "shortport"
 require "sip"
 require "brute"
+require "creds"

 portrule = shortport.port_or_service(5060, "sip", "udp")

--- a/scripts/snmp-brute.nse
+++ b/scripts/snmp-brute.nse
@@ -13,99 +13,111 @@ Attempts to find an SNMP community string by brute force guessing.
 -- 161/udp open  snmp
 -- |_snmp-brute: public

-author = "Philip Pickering"
-
+author = "Philip Pickering, Gorjan Petrovski"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-
 categories = {"intrusive", "auth"}

+-- Revised 07/07/2011 - v 0.2 - ported to the brute library (Gorjan Petrovski)  
+
 require "shortport"
 require "snmp"
+require "brute"
+require "creds"

 portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"})

-action = function(host, port)
+local port_set_open = false

-  if nmap.registry.snmpcommunity or nmap.registry.args.snmpcommunity then return end
+local Driver =
+{
+	new = function(self, host, port)
+		local o = {}
+		setmetatable(o,self)
+		self.__index = self
+		o.host = host
+		o.port = port
+		return o
+	end,
+	connect = function(self)
+		self.socket = nmap.new_socket()
+		if not self.socket then return false end
+		-- set some reasonable timeouts :)
+		if self.host.times.timeout < 1 then
+			self.socket:set_timeout(1000)
+		else
+			self.socket:set_timeout(self.host.times.timeout * 1000)
+		end
+		local status, err = self.socket:connect(self.host, self.port)
+		if not status then
+			self.socket:close()
+			return false
+		end
+		self.request = snmp.buildGetRequest({}, "1.3.6.1.2.1.1.3.0") 
+		return true
+	end,
+	disconnect = function(self)
+		self.socket:close()
+	end,
+	login = function( self, username, password)
+		local payload = snmp.encode(snmp.buildPacket(self.request, 0, password))

-  -- create the socket used for our connection
-  local socket = nmap.new_socket()
-  
-  -- set a reasonable timeout value
-  socket:set_timeout(5000)
-  
-  -- do some exception handling / cleanup
-  local catch = function()
-    socket:close()
-  end
+		local status, response = self.socket:send(payload)
+		if not status then
+			self.socket:close()
+			local brute_err = brute.Error:new(response)
+			brute_err:setAbort(true)
+			return false, brute_err
+		end

-  local try = nmap.new_try(catch)
-	
-	-- connect to the potential SNMP system
-  try(socket:connect(host, port))
+		status, response = self.socket:receive_bytes(1)
+		if (not status) or (response == "TIMEOUT") then
+			local brute_err = brute.Error:new(response)
+			brute_err:setRetry(false)
+			return false, brute_err
+		end

-	
-  local request = snmp.buildGetRequest({}, "1.3.6.1.2.1.1.3.0")
+		if not port_set_open then
+			port_set_open = true
+			nmap.set_port_state(self.host, self.port, "open")
+		end
+
+		local result 
+		_, result = snmp.decode(response)
+
+		-- response contains valid community string
+		if type(result) == "table" then
+			-- keep only the first password as snmpcommunity, like the old script did
+			if not nmap.registry.snmpcommunity then
+				nmap.registry.snmpcommunity = result[2]
+			end
+			
+			-- adding the credentials
+			local c = creds.Credentials:new( SCRIPT_NAME, self.host, self.port )
+			c:add(nil, result[2], creds.State.VALID)
+			
+			local brute_acc = brute.Account.new("", result[2], creds.State.VALID)
+			return true, brute_acc
+		end
+
+		local err = brute.Error:new("Incorrect password")
+		err:setRetry(false)
+		return false, err

-  local commFile = nmap.registry.args.snmplist and nmap.fetchfile(nmap.registry.args.snmplist)
-  local commTable
-  
-  -- fetch wordlist from file (from unpwdb-lib)
-  if commFile then
-     local file = io.open(commFile)
-     
-     if file then
-	commTable = {}
-	while true do
-	   local l = file:read()
-	   
-	   if not l then
-	      break
-	   end
-					 
-	   -- Comments takes up a whole line
-	   if not l:match("#!comment:") then
-	      table.insert(commTable, l)
-	   end
 	end
+}
+
+action = function(host, port)
+	if nmap.registry.snmpcommunity or nmap.registry.args.snmpcommunity then return end
 	
-	file:close()
-     end
-  end
-  
-  -- default wordlist
-  if (not commTable) then	commTable = {'public', 'private', 'snmpd', 'snmp', 'mngt', 'cisco', 'admin'} end
-  
-  -- send all possible words out before waiting for an answer
-  for _, commStr in ipairs(commTable) do
-     local payload = snmp.encode(snmp.buildPacket(request, 0, commStr))
-     try(socket:send(payload))
-  end
-  
-  -- finally wait for a response
-  local status
-  local response
-  
-  status, response = socket:receive_bytes(1)
-  
-  if (not status) then
-     return
-  end
-  
-  if (response == "TIMEOUT") then
-     return
-  end
-  nmap.set_port_state(host, port, "open")
-  
-  local result
-  _, result = snmp.decode(response)
-  
-  -- response contains valid community string
-  if type(result) == "table" then
-     nmap.registry.snmpcommunity = result[2]
-     return result[2]
-  end
-  
-  return
+	local engine = brute.Engine:new(Driver,host,port)
+	
+	--we want to search for both readonly and readwrite community strings
+	-- engine.options.firstonly = false
+	engine.options.passonly = true
+	engine.options.script_name = SCRIPT_NAME
+	
+	status, result = engine:start()
+	
+	return result
 end

--- a/scripts/svn-brute.nse
+++ b/scripts/svn-brute.nse
@@ -32,6 +32,7 @@ Performs brute force password auditing against Subversion source code control se

 require 'shortport'
 require 'brute'
+require 'creds'

 author = "Patrik Karlsson"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
@@ -263,4 +264,4 @@ action = function(host, port)
 	end

 	return accounts
-end
+end
--- a/scripts/vnc-brute.nse
+++ b/scripts/vnc-brute.nse
@@ -32,6 +32,7 @@ categories = {"intrusive", "auth"}
 require 'shortport'
 require 'brute'
 require 'vnc'
+require 'creds'

 portrule = shortport.port_or_service(5901, "vnc", "tcp", "open")

@@ -140,4 +141,4 @@ action = function(host, port)
 	status, result = engine:start()

 	return result
-end
+end