Avoid false positives in rexec-brute. Fixes #1090

2026-02-13 17:06:34 +00:00 · 2018-01-22 16:45:49 +00:00
parent a67e68b2d4
commit 59f819f198
2 changed files with 18 additions and 1 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 #Nmap Changelog ($Id$); -*-text-*-

+o [NSE][GH#1090] Fix false positives in rexec-brute by checking responses for
+  indications of login failure. [Daniel Miller]
+
 o [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate
  destination directories. [Aniket Pandey]

--- a/scripts/rexec-brute.nse
+++ b/scripts/rexec-brute.nse
@@ -33,6 +33,20 @@ categories = {"brute", "intrusive"}

 portrule = shortport.port_or_service(512, "exec", "tcp")

+--- Copied from telnet-brute
+-- Decide whether a given string (presumably received from a telnet server)
+-- indicates a failed login
+--
+-- @param str The string to analyze
+-- @return Verdict (true or false)
+local is_login_failure = function (str)
+  local lcstr = str:lower()
+  return lcstr:find("%f[%w]incorrect%f[%W]")
+      or lcstr:find("%f[%w]failed%f[%W]")
+      or lcstr:find("%f[%w]denied%f[%W]")
+      or lcstr:find("%f[%w]invalid%f[%W]")
+      or lcstr:find("%f[%w]bad%f[%W]")
+end

 Driver = {

@@ -72,7 +86,7 @@ Driver = {

    local response
    status, response = self.socket:receive()
-    if ( status ) then
+    if ( status and not is_login_failure(response)) then
      return true, creds.Account:new(username, password, creds.State.VALID)
    end
    return false, brute.Error:new( "Incorrect password" )