diff --git a/scripts/domcon-brute.nse b/scripts/domcon-brute.nse index a029368e5..ab07f6131 100644 --- a/scripts/domcon-brute.nse +++ b/scripts/domcon-brute.nse @@ -29,6 +29,7 @@ categories = {"intrusive", "auth"} require 'shortport' require 'brute' +require 'creds' portrule = shortport.port_or_service(2050, "", "tcp", "open") @@ -160,4 +161,4 @@ action = function(host, port) pool:shutdown() return result -end \ No newline at end of file +end diff --git a/scripts/dpap-brute.nse b/scripts/dpap-brute.nse index ff7949c64..464f0057c 100644 --- a/scripts/dpap-brute.nse +++ b/scripts/dpap-brute.nse @@ -27,6 +27,7 @@ categories = {"intrusive", "auth"} require("base64") require("shortport") require("brute") +require("creds") portrule = shortport.port_or_service(8770, "apple-iphoto") diff --git a/scripts/http-brute.nse b/scripts/http-brute.nse index fc1b1245f..93e14c6f8 100644 --- a/scripts/http-brute.nse +++ b/scripts/http-brute.nse @@ -40,6 +40,7 @@ categories = {"intrusive", "auth"} require 'shortport' require 'http' require 'brute' +require 'creds' portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") diff --git a/scripts/http-form-brute.nse b/scripts/http-form-brute.nse index e6ff15605..6dbacb110 100644 --- a/scripts/http-form-brute.nse +++ b/scripts/http-form-brute.nse @@ -73,6 +73,7 @@ require 'shortport' require 'http' require 'brute' require 'url' +require 'creds' portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") @@ -243,4 +244,4 @@ action = function( host, port ) local status, result = engine:start() return result -end \ No newline at end of file +end diff --git a/scripts/informix-brute.nse b/scripts/informix-brute.nse index 9976d186c..38e939eac 100644 --- a/scripts/informix-brute.nse +++ b/scripts/informix-brute.nse @@ -33,6 +33,7 @@ categories = {"intrusive", "auth"} require 'shortport' require 'brute' require 'informix' +require 'creds' portrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, "informix", "tcp", "open") @@ -104,4 +105,4 @@ action = function(host, port) status, result = engine:start() return result -end \ No newline at end of file +end diff --git a/scripts/iscsi-brute.nse b/scripts/iscsi-brute.nse index 26c575f45..4032c93f9 100644 --- a/scripts/iscsi-brute.nse +++ b/scripts/iscsi-brute.nse @@ -19,6 +19,7 @@ Performs brute force password auditing against iSCSI targets. require 'shortport' require 'brute' require 'iscsi' +require 'creds' author = "Patrik Karlsson" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" @@ -84,4 +85,4 @@ action = function( host, port ) status, accounts = engine:start() if ( status ) then return accounts end -end \ No newline at end of file +end diff --git a/scripts/nping-brute.nse b/scripts/nping-brute.nse index e48adf6f7..9a63913fd 100644 --- a/scripts/nping-brute.nse +++ b/scripts/nping-brute.nse @@ -27,6 +27,7 @@ require("brute") require("stdnse") stdnse.silent_require "openssl" require("shortport") +require("creds") portrule = shortport.port_or_service(9929, "nping-echo") diff --git a/scripts/omp2-brute.nse b/scripts/omp2-brute.nse index bd2674f98..de0d2ff9a 100644 --- a/scripts/omp2-brute.nse +++ b/scripts/omp2-brute.nse @@ -22,7 +22,7 @@ require("omp2") require("nmap") require("brute") require("shortport") - +require("creds") portrule = shortport.port_or_service(9390, "openvas") diff --git a/scripts/oracle-brute.nse b/scripts/oracle-brute.nse index b4571507a..ec7fb4604 100644 --- a/scripts/oracle-brute.nse +++ b/scripts/oracle-brute.nse @@ -40,6 +40,7 @@ require 'brute' require 'stdnse' stdnse.silent_require 'openssl' require 'tns' +require 'creds' portrule = shortport.port_or_service(1521, "oracle-tns", "tcp", "open") diff --git a/scripts/sip-brute.nse b/scripts/sip-brute.nse index 423ba1076..d41070720 100755 --- a/scripts/sip-brute.nse +++ b/scripts/sip-brute.nse @@ -24,6 +24,7 @@ categories = {"intrusive", "auth"} require "shortport" require "sip" require "brute" +require "creds" portrule = shortport.port_or_service(5060, "sip", "udp") diff --git a/scripts/snmp-brute.nse b/scripts/snmp-brute.nse index fd009fab1..f30c5d0b3 100644 --- a/scripts/snmp-brute.nse +++ b/scripts/snmp-brute.nse @@ -13,99 +13,111 @@ Attempts to find an SNMP community string by brute force guessing. -- 161/udp open snmp -- |_snmp-brute: public -author = "Philip Pickering" - +author = "Philip Pickering, Gorjan Petrovski" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" - categories = {"intrusive", "auth"} +-- Revised 07/07/2011 - v 0.2 - ported to the brute library (Gorjan Petrovski) + require "shortport" require "snmp" +require "brute" +require "creds" portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"}) -action = function(host, port) +local port_set_open = false - if nmap.registry.snmpcommunity or nmap.registry.args.snmpcommunity then return end +local Driver = +{ + new = function(self, host, port) + local o = {} + setmetatable(o,self) + self.__index = self + o.host = host + o.port = port + return o + end, + connect = function(self) + self.socket = nmap.new_socket() + if not self.socket then return false end + -- set some reasonable timeouts :) + if self.host.times.timeout < 1 then + self.socket:set_timeout(1000) + else + self.socket:set_timeout(self.host.times.timeout * 1000) + end + local status, err = self.socket:connect(self.host, self.port) + if not status then + self.socket:close() + return false + end + self.request = snmp.buildGetRequest({}, "1.3.6.1.2.1.1.3.0") + return true + end, + disconnect = function(self) + self.socket:close() + end, + login = function( self, username, password) + local payload = snmp.encode(snmp.buildPacket(self.request, 0, password)) - -- create the socket used for our connection - local socket = nmap.new_socket() - - -- set a reasonable timeout value - socket:set_timeout(5000) - - -- do some exception handling / cleanup - local catch = function() - socket:close() - end + local status, response = self.socket:send(payload) + if not status then + self.socket:close() + local brute_err = brute.Error:new(response) + brute_err:setAbort(true) + return false, brute_err + end - local try = nmap.new_try(catch) - - -- connect to the potential SNMP system - try(socket:connect(host, port)) + status, response = self.socket:receive_bytes(1) + if (not status) or (response == "TIMEOUT") then + local brute_err = brute.Error:new(response) + brute_err:setRetry(false) + return false, brute_err + end - - local request = snmp.buildGetRequest({}, "1.3.6.1.2.1.1.3.0") + if not port_set_open then + port_set_open = true + nmap.set_port_state(self.host, self.port, "open") + end + + local result + _, result = snmp.decode(response) + + -- response contains valid community string + if type(result) == "table" then + -- keep only the first password as snmpcommunity, like the old script did + if not nmap.registry.snmpcommunity then + nmap.registry.snmpcommunity = result[2] + end + + -- adding the credentials + local c = creds.Credentials:new( SCRIPT_NAME, self.host, self.port ) + c:add(nil, result[2], creds.State.VALID) + + local brute_acc = brute.Account.new("", result[2], creds.State.VALID) + return true, brute_acc + end + + local err = brute.Error:new("Incorrect password") + err:setRetry(false) + return false, err - local commFile = nmap.registry.args.snmplist and nmap.fetchfile(nmap.registry.args.snmplist) - local commTable - - -- fetch wordlist from file (from unpwdb-lib) - if commFile then - local file = io.open(commFile) - - if file then - commTable = {} - while true do - local l = file:read() - - if not l then - break - end - - -- Comments takes up a whole line - if not l:match("#!comment:") then - table.insert(commTable, l) - end end +} + +action = function(host, port) + if nmap.registry.snmpcommunity or nmap.registry.args.snmpcommunity then return end - file:close() - end - end - - -- default wordlist - if (not commTable) then commTable = {'public', 'private', 'snmpd', 'snmp', 'mngt', 'cisco', 'admin'} end - - -- send all possible words out before waiting for an answer - for _, commStr in ipairs(commTable) do - local payload = snmp.encode(snmp.buildPacket(request, 0, commStr)) - try(socket:send(payload)) - end - - -- finally wait for a response - local status - local response - - status, response = socket:receive_bytes(1) - - if (not status) then - return - end - - if (response == "TIMEOUT") then - return - end - nmap.set_port_state(host, port, "open") - - local result - _, result = snmp.decode(response) - - -- response contains valid community string - if type(result) == "table" then - nmap.registry.snmpcommunity = result[2] - return result[2] - end - - return + local engine = brute.Engine:new(Driver,host,port) + + --we want to search for both readonly and readwrite community strings + -- engine.options.firstonly = false + engine.options.passonly = true + engine.options.script_name = SCRIPT_NAME + + status, result = engine:start() + + return result end diff --git a/scripts/svn-brute.nse b/scripts/svn-brute.nse index c763a29de..d83580a52 100644 --- a/scripts/svn-brute.nse +++ b/scripts/svn-brute.nse @@ -32,6 +32,7 @@ Performs brute force password auditing against Subversion source code control se require 'shortport' require 'brute' +require 'creds' author = "Patrik Karlsson" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" @@ -263,4 +264,4 @@ action = function(host, port) end return accounts -end \ No newline at end of file +end diff --git a/scripts/vnc-brute.nse b/scripts/vnc-brute.nse index c237278eb..4b2cbb44f 100644 --- a/scripts/vnc-brute.nse +++ b/scripts/vnc-brute.nse @@ -32,6 +32,7 @@ categories = {"intrusive", "auth"} require 'shortport' require 'brute' require 'vnc' +require 'creds' portrule = shortport.port_or_service(5901, "vnc", "tcp", "open") @@ -140,4 +141,4 @@ action = function(host, port) status, result = engine:start() return result -end \ No newline at end of file +end