Add cassandra scripts from Vlatko Kosturjak.

scripts/cassandra-brute.nse

@@ -0,0 +1,131 @@
+local brute = require "brute"
+local creds = require "creds"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local cassandra = require "cassandra"
+
+description = [[
+Performs brute force password auditing against the Cassandra database.
+
+For more information about Cassandra, see:
+http://cassandra.apache.org/
+]]
+
+---
+-- @usage
+-- nmap -p 9160 <ip> --script=cassandra-brute
+--
+-- @output
+-- PORT     STATE SERVICE VERSION
+-- 9160/tcp open  apani1?
+-- | cassandra-brute: 
+-- |   Accounts
+-- |     admin:lover - Valid credentials
+-- |   Statistics
+-- |_    Performed 4581 guesses in 1 seconds, average tps: 4581
+--
+
+author = "Vlatko Kosturjak"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "brute"}
+
+portrule = shortport.port_or_service({9160}, {"cassandra"})
+
+Driver = {
+	
+	new = function(self, host, port, options)
+		local o = { host = host, port = port, socket = nmap.new_socket() }
+		setmetatable(o, self)
+		self.__index = self
+		return o
+	end,
+	
+	connect = function(self)
+		return self.socket:connect(self.host, self.port)
+	end,
+
+        -- bit faster login function than in cassandra library (no protocol error checks)
+	login = function(self, username, password)
+		local response, magic, size
+		local loginstr = cassandra.loginstr (username, password)
+
+		local status, err = self.socket:send(bin.pack(">I",string.len(loginstr)))
+                local combo = username..":"..password
+		if ( not(status) ) then
+			local err = brute.Error:new( "couldn't send length:"..combo )
+			err:setAbort( true )
+			return false, err
+		end
+
+		status, err = self.socket:send(loginstr)
+		if ( not(status) ) then
+			local err = brute.Error:new( "couldn't send login packet: "..combo )
+			err:setAbort( true )
+			return false, err
+		end
+
+		status, response = self.socket:receive_bytes(22)
+		if ( not(status) ) then
+			local err = brute.Error:new( "couldn't receive login reply size: "..combo )
+			err:setAbort( true )
+			return false, err
+		end
+			
+		_, size = bin.unpack(">I", response, 1)
+
+                magic = string.sub(response,18,22)
+
+		if (magic == cassandra.LOGINSUCC) then
+                        stdnse.print_debug(3, "Account SUCCESS: "..combo)
+			return true, brute.Account:new(username, password, creds.State.VALID)
+		elseif (magic == cassandra.LOGINFAIL) then
+                        stdnse.print_debug(3,"Account FAIL: "..combo)
+			return false, brute.Error:new( "Incorrect password" )	
+                elseif (magic == cassandra.LOGINACC) then
+                        stdnse.print_debug(3, "Account VALID, but wrong password: "..combo)
+                        return false, brute.Error:new( "Good user, bad password" )	
+		else
+                        stdnse.print_debug(3, "Unrecognized packet for "..combo)
+                        stdnse.print_debug(3, "packet hex: %s", stdnse.tohex(response) )
+                        stdnse.print_debug(3, "size packet hex: %s", stdnse.tohex(size) )
+                        stdnse.print_debug(3, "magic packet hex: %s", stdnse.tohex(magic) )
+			local err = brute.Error:new( response )
+			err:setRetry( true )
+			return false, err
+		end	
+	end,
+	
+	disconnect = function(self)
+		return self.socket:close()
+	end,
+	
+}
+
+local function noAuth(host, port)
+	local socket = nmap.new_socket()
+	local status, result = socket:connect(host, port)
+
+        local stat,err = cassandra.login (socket,"default","")
+        socket:close()
+        if (stat) then
+          return true
+        else
+          return false
+        end
+end
+
+action = function(host, port)
+
+	if ( noAuth(host, port) ) then
+		return "Any username and password would do, 'default' was used to test."
+	end
+
+	local engine = brute.Engine:new(Driver, host, port )
+	
+	engine.options.script_name = SCRIPT_NAME
+	engine.options.firstonly = true
+	local status, result = engine:start()
+
+	return result
+end

scripts/cassandra-info.nse

@@ -0,0 +1,93 @@
+local creds = require "creds"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local bin = require "bin"
+local string = require "string"
+
+local cassandra = stdnse.silent_require "cassandra"
+
+description = [[
+Attempts to get basic info and server status from a Cassandra database.
+
+For more information about Cassandra, see:
+http://cassandra.apache.org/
+]]
+
+---
+-- @usage
+-- nmap -p 9160 <ip> --script=cassandra-info
+-- 
+-- @output
+-- PORT     STATE SERVICE   REASON
+-- 9160/tcp open  cassandra syn-ack
+-- | cassandra-info: 
+-- |   Cluster name: Test Cluster
+-- |_  Version: 19.10.0
+-- 
+
+-- version 0.1
+-- Created 14/09/2012 - v0.1 - created by Vlatko Kosturjak <kost@linux.hr>
+
+author = "Vlatko Kosturjak"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"default", "discovery", "safe"}
+
+dependencies = {"cassandra-brute"}
+
+portrule = shortport.port_or_service({9160}, {"cassandra"})
+
+function action(host,port)
+
+	local socket = nmap.new_socket()
+        local cassinc = 2 -- cmd/resp starts at 2
+	
+	-- set a reasonable timeout value
+	socket:set_timeout(10000)
+	-- do some exception  / cleanup
+	local catch = function()
+		socket:close()
+	end
+	
+	local try = nmap.new_try(catch)
+
+	try( socket:connect(host, port) )
+	
+        local results = {}
+
+	-- uglyness to allow creds.cassandra to work, as the port is not recognized
+	-- as cassandra even when service scan was run, taken from mongodb
+	local ps = port.service
+	port.service = 'cassandra'
+	local c = creds.Credentials:new(creds.ALL_DATA, host, port)
+	for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do
+		local status, err = cassandra.login(socket, cred.user, cred.pass)
+                table.insert(results, ("Using credentials: %s"):format(cred.user.."/"..cred.pass))
+		if ( not(status) ) then
+			return err
+		end
+	end
+	port.service = ps
+
+        local status, val = cassandra.describe_cluster_name(socket,cassinc)
+        if (not(status)) then
+          return "Error getting cluster name: " .. val
+        end
+        cassinc = cassinc + 1
+        port.version.name ='cassandra'
+        port.version.product='Cassandra'
+        port.version.name_confidence = 100
+        nmap.set_port_version(host,port)
+        table.insert(results, ("Cluster name: %s"):format(val))
+
+        local status, val = cassandra.describe_version(socket,cassinc)
+        if (not(status)) then
+          return "Error getting version: " .. val
+        end
+        cassinc = cassinc + 1
+        port.version.product='Cassandra ('..val..')'
+        nmap.set_port_version(host,port)
+        table.insert(results, ("Version: %s"):format(val))
+
+        return stdnse.format_output(true, results)
+end

scripts/script.db

@@ -52,6 +52,8 @@ Entry { filename = "broadcast-wake-on-lan.nse", categories = { "broadcast", "saf
 Entry { filename = "broadcast-wpad-discover.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "broadcast-wsdd-discover.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "broadcast-xdmcp-discover.nse", categories = { "broadcast", "safe", } }
+Entry { filename = "cassandra-brute.nse", categories = { "brute", "intrusive", } }
+Entry { filename = "cassandra-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "cccam-version.nse", categories = { "version", } }
 Entry { filename = "citrix-brute-xml.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "citrix-enum-apps-xml.nse", categories = { "discovery", "safe", } }