From a2c2a3f84c3534cf0495e47b3e1f114689fbb36a Mon Sep 17 00:00:00 2001 From: patrik Date: Thu, 19 Aug 2010 20:53:40 +0000 Subject: [PATCH] o [NSE] Added two new scripts http-brute.nse and http-form-brute that attempt to perform password guessing against web servers and applications. [Patrik] --- CHANGELOG | 3 + scripts/http-brute.nse | 125 ++++++++++++++++++++++++++++ scripts/http-form-brute.nse | 158 ++++++++++++++++++++++++++++++++++++ scripts/script.db | 3 + 4 files changed, 289 insertions(+) create mode 100644 scripts/http-brute.nse create mode 100644 scripts/http-form-brute.nse diff --git a/CHANGELOG b/CHANGELOG index 9032d7574..208ca3705 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added two new scripts http-brute.nse and http-form-brute that attempt + to perform password guessing against web servers and applications. [Patrik] + o [NSE] Added svn-brute, which attempts to perform password guessing against the subversion service. [Patrik] diff --git a/scripts/http-brute.nse b/scripts/http-brute.nse new file mode 100644 index 000000000..f1aae2c5b --- /dev/null +++ b/scripts/http-brute.nse @@ -0,0 +1,125 @@ +description = [[ +Performs password guessing against http basic authentication +]] + +--- +-- @usage +-- nmap --script http-brute -p 80 +-- +-- This script uses the unpwdb and brute libraries to perform password +-- guessing. Any successful guesses are stored in the nmap registry, under +-- the nmap.registry.credentials.http key for other scripts to use. +-- +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-brute: +-- | Accounts +-- | Patrik Karlsson:secret => Login correct +-- | Statistics +-- |_ Perfomed 60023 guesses in 467 seconds, average tps: 138 +-- +-- Summary +-- ------- +-- x The Driver class contains the driver implementation used by the brute +-- library +-- +-- @args http-brute.path points to the path protected by authentication +-- @args http-brute.hostname sets the host header in case of virtual hosting + +-- +-- Version 0.1 +-- Created 07/30/2010 - v0.1 - created by Patrik Karlsson +-- + +author = "Patrik Karlsson" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"intrusive", "auth"} + +require 'shortport' +require 'http' +require 'brute' + +portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") + +Driver = { + + new = function(self, host, port) + local o = {} + setmetatable(o, self) + self.__index = self + o.host = nmap.registry.args['http-brute.hostname'] or host + o.port = port + o.path = nmap.registry.args['http-brute.path'] + return o + end, + + connect = function( self ) + -- This will cause problems, as ther is no way for us to "reserve" + -- a socket. We may end up here early with a set of credentials + -- which won't be guessed until the end, due to socket exhaustion. + return true + end, + + login = function( self, username, password ) + -- we need to supply the no_cache directive, or else the http library + -- incorrectly tells us that the authentication was successfull + local response = http.get( self.host, self.port, self.path, { auth = { username = username, password = password }, no_cache = true }) + + -- We should probably do more tests here, 500 error and redirects + -- should be possible candidates. checking for ~= 401 *should* work to + -- but gave me a number of false positives last time I tried. + -- After Davids initial review we decided to change it to not 4xx and + -- not 5xx. That would roughly equal the following: + if ( response.status < 400 or response.status > 599 ) then + if ( not( nmap.registry['credentials'] ) ) then + nmap.registry['credentials'] = {} + end + if ( not( nmap.registry.credentials['http'] ) ) then + nmap.registry.credentials['http'] = {} + end + table.insert( nmap.registry.credentials.http, { username = username, password = password } ) + return true, brute.Account:new( username, password, "OPEN") + end + return false, brute.Error:new( "Incorrect password" ) + end, + + disconnect = function( self ) + return true + end, + + check = function( self ) + local response = http.get( self.host, self.port, self.path ) + + if ( response.status == 401 ) then + return true + end + return false + end, + +} + + +action = function( host, port ) + local status, result + local engine = brute.Engine:new(Driver, host, port ) + local path = nmap.registry.args['http-brute.path'] + + if ( not(path) ) then + return " \n ERROR: No path was specified (see http-brute.path)" + end + + local response = http.get( host, port, path ) + + if ( response.status ~= 401 ) then + return (" \n Path \"%s\" does not require autentication"):format(path) + end + + + -- there's a bug in http.lua that does not allow it to be called by + -- multiple threads + engine:setMaxThreads(1) + status, result = engine:start() + + return result +end \ No newline at end of file diff --git a/scripts/http-form-brute.nse b/scripts/http-form-brute.nse new file mode 100644 index 000000000..3823a8aec --- /dev/null +++ b/scripts/http-form-brute.nse @@ -0,0 +1,158 @@ +description = [[ +Performs password guessing against http form-based authentication +]] + +--- +-- @usage +-- nmap --script http-form-brute -p 80 +-- +-- This script uses the unpwdb and brute libraries to perform password +-- guessing. Any successful guesses are stored in the nmap registry, under +-- the nmap.registry.credentials.http key for other scripts to use. +-- +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-brute: +-- | Accounts +-- | Patrik Karlsson:secret => Login correct +-- | Statistics +-- |_ Perfomed 60023 guesses in 467 seconds, average tps: 138 +-- +-- Summary +-- ------- +-- x The Driver class contains the driver implementation used by the brute +-- library +-- +-- @args http-form-brute.path points to the path protected by authentication +-- @args http-form-brute.hostname sets the host header in case of virtual +-- hosting +-- @args http-form-brute.uservar sets the http-variable name that holds the +-- username used to authenticate. A simple autodetection of this variable +-- is attempted. +-- @args http-form-brute.passvar sets the http-variable name that holds the +-- password used to authenticate. A simple autodetection of this variable +-- is attempted. + + +-- +-- Version 0.1 +-- Created 07/30/2010 - v0.1 - created by Patrik Karlsson +-- + +author = "Patrik Karlsson" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"intrusive", "auth"} + +require 'shortport' +require 'http' +require 'brute' + +portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") + +local form_params = {} + +Driver = { + + new = function(self, host, port, options) + local o = {} + setmetatable(o, self) + self.__index = self + o.host = nmap.registry.args['http-form-brute.hostname'] or host + o.port = port + o.path = nmap.registry.args['http-form-brute.path'] + o.options = options + return o + end, + + connect = function( self ) + -- This will cause problems, as ther is no way for us to "reserve" + -- a socket. We may end up here early with a set of credentials + -- which won't be guessed until the end, due to socket exhaustion. + return true + end, + + login = function( self, username, password ) + -- we need to supply the no_cache directive, or else the http library + -- incorrectly tells us that the authentication was successfull + local response = http.post( self.host, self.port, self.path, { no_cache = true }, nil, { [self.options.uservar] = username, [self.options.passvar] = password } ) + + -- We check whether the body was empty or that we have a body without our user- and pass-var + if ( not( response.body ) or + ( response.body and not( response.body:match("name=\"*" .. self.options.uservar ) and response.body:match("name=\"*" .. self.options.passvar ) ) ) ) then + + if ( not( nmap.registry['credentials'] ) ) then + nmap.registry['credentials'] = {} + end + if ( not( nmap.registry.credentials['http'] ) ) then + nmap.registry.credentials['http'] = {} + end + table.insert( nmap.registry.credentials.http, { username = username, password = password } ) + return true, brute.Account:new( username, password, "OPEN") + end + + return false, brute.Error:new( "Incorrect password" ) + end, + + disconnect = function( self ) + return true + end, + + check = function( self ) + local response = http.get( self.host, self.port, self.path ) + + -- do a *very* simple check + if ( response.status == 200 and response.body:match("type=\"password\"")) then + return true + end + return false + end, + +} + +--- Attempts to auto-detect known form-fields +-- +local function detectFormFields( host, port, path ) + local response = http.get( host, port, path ) + local user_field, pass_field + + if ( response.status == 200 ) then + user_field = response.body:match("") + pass_field = response.body:match("") + + if ( not(pass_field) ) then + pass_field = response.body:match("") + end + end + + return user_field, pass_field +end + +action = function( host, port ) + local uservar = nmap.registry.args['http-form-brute.uservar'] + local passvar = nmap.registry.args['http-form-brute.passvar'] + local path = nmap.registry.args['http-form-brute.path'] or "/" + local status, result, engine + + if ( not(uservar) or not(passvar) ) then + uservar, passvar = detectFormFields( host, port, path ) + end + if ( not( uservar ) ) then + return " \n ERROR: No uservar was specified (see http-form-brute.uservar)" + end + if ( not( passvar ) ) then + return " \n ERROR: No passvar was specified (see http-form-brute.passvar)" + end + + if ( not(nmap.registry.args['http-form-brute.path']) ) then + return " \n ERROR: No path was specified (see http-form-brute.path)" + end + + engine = brute.Engine:new( Driver, host, port, { uservar = uservar, passvar = passvar } ) + -- there's a bug in http.lua that does not allow it to be called by + -- multiple threads + engine:setMaxThreads(1) + status, result = engine:start() + + return result +end \ No newline at end of file diff --git a/scripts/script.db b/scripts/script.db index 819e51efb..46602710a 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -33,9 +33,11 @@ Entry { filename = "ftp-brute.nse", categories = { "auth", "intrusive", } } Entry { filename = "ftp-libopie.nse", categories = { "intrusive", "vuln", } } Entry { filename = "html-title.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "http-auth.nse", categories = { "auth", "default", "intrusive", } } +Entry { filename = "http-brute.nse", categories = { "auth", "intrusive", } } Entry { filename = "http-date.nse", categories = { "discovery", "safe", } } Entry { filename = "http-enum.nse", categories = { "discovery", "intrusive", "vuln", } } Entry { filename = "http-favicon.nse", categories = { "default", "discovery", "safe", } } +Entry { filename = "http-form-brute.nse", categories = { "auth", "intrusive", } } Entry { filename = "http-headers.nse", categories = { "discovery", "safe", } } Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-malware-host.nse", categories = { "malware", "safe", } } @@ -125,6 +127,7 @@ Entry { filename = "sshv1.nse", categories = { "default", "safe", } } Entry { filename = "ssl-cert.nse", categories = { "discovery", "safe", } } Entry { filename = "ssl-enum-ciphers.nse", categories = { "discovery", "intrusive", } } Entry { filename = "sslv2.nse", categories = { "default", "safe", } } +Entry { filename = "svn-brute.nse", categories = { "auth", "intrusive", } } Entry { filename = "telnet-brute.nse", categories = { "auth", "intrusive", } } Entry { filename = "upnp-info.nse", categories = { "default", "safe", } } Entry { filename = "vnc-brute.nse", categories = { "auth", "intrusive", } }