PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Rewrote mysql-brute to use brute library

Browse Source
This commit is contained in:
aca
2012-05-25 17:57:04 +00:00
parent 92ba13be19
commit a839e69449
2 changed files with 61 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG
View File

@@ -1,5 +1,7 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o [NSE] Rewrote mysql-brute to use brute library [Aleksandar Nikolic]
o Fixed the greppable output of hosts that time-out (when --host-timeout was o Fixed the greppable output of hosts that time-out (when --host-timeout was
used and the host timed-out after something was received from that host). used and the host timed-out after something was received from that host).
This issue was reported by Matthew Morgan. [jah] This issue was reported by Matthew Morgan. [jah]

102
scripts/mysql-brute.nse
View File

@@ -3,11 +3,14 @@ Performs password guessing against MySQL.
]] ]]
--- ---
-- @usage
-- nmap nmap --script=rmi-vuln-classloader
--
-- @output -- @output
-- 3306/tcp open mysql -- 3306/tcp open mysql
-- | mysql-brute: -- | mysql-brute:
-- | root:<empty> => Valid credentials -- | Accounts
-- |_ test:test => Valid credentials -- | root:root - Valid credentials
author = "Patrik Karlsson" author = "Patrik Karlsson"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
@@ -16,61 +19,74 @@ categories = {"intrusive", "brute"}
require 'shortport' require 'shortport'
require 'stdnse' require 'stdnse'
require 'mysql' require 'mysql'
require 'unpwdb' require 'brute'
require 'creds'
stdnse.silent_require 'openssl' stdnse.silent_require 'openssl'
-- Version 0.3 -- Version 0.5
-- Created 01/15/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net> -- Created 01/15/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
-- Revised 01/23/2010 - v0.2 - revised by Patrik Karlsson, changed username, password loop, added credential storage for other mysql scripts, added timelimit -- Revised 01/23/2010 - v0.2 - revised by Patrik Karlsson, changed username, password loop, added credential storage for other mysql scripts, added timelimit
-- Revised 01/23/2010 - v0.3 - revised by Patrik Karlsson, fixed bug showing account passwords detected twice -- Revised 01/23/2010 - v0.3 - revised by Patrik Karlsson, fixed bug showing account passwords detected twice
-- Revised 09/09/2011 - v0.4 - revised by Tom Sellers, changed account status text to be more consistent with other *-brute scripts -- Revised 09/09/2011 - v0.4 - revised by Tom Sellers, changed account status text to be more consistent with other *-brute scripts
-- Revised 05/25/2012 - v0.5 - revised by Aleksandar Nikolic, rewritten to use brute lib
portrule = shortport.port_or_service(3306, "mysql") portrule = shortport.port_or_service(3306, "mysql")
action = function( host, port ) local arg_timeout = stdnse.get_script_args(SCRIPT_NAME .. ".timeout") or 5
local socket = nmap.new_socket() Driver = {
local catch = function() socket:close() end
local try = nmap.new_try(catch)
local result, response, status = {}, nil, nil
local valid_accounts = {}
local usernames, passwords
local username, password
-- set a reasonable timeout value new = function(self, host, port)
socket:set_timeout(5000) local o = {}
setmetatable(o, self)
usernames = try(unpwdb.usernames()) self.__index = self
passwords = try(unpwdb.passwords()) o.host = host
o.port = port
for username in usernames do return o
for password in passwords do end,
try( socket:connect(host, port) )
response = try( mysql.receiveGreeting( socket ) )
stdnse.print_debug( "Trying %s/%s ...", username, password ) connect = function( self )
self.socket = nmap.new_socket()
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt ) status, err = self.socket:connect(self.host, self.port)
socket:close() self.socket:set_timeout(tonumber(arg_timeout) * 1000)
if(not(status)) then
if status then return false, brute.Error:new( "Couldn't connect to host: " .. err )
-- Add credentials for other mysql scripts to use
if nmap.registry.mysqlusers == nil then
nmap.registry.mysqlusers = {}
end
nmap.registry.mysqlusers[username]=password
table.insert( valid_accounts, string.format("%s:%s => Valid credentials", username, password:len()>0 and password or "<empty>" ) )
break
end
end end
passwords("reset") return true
end,
login = function (self, user, pass)
status, response = mysql.receiveGreeting(self.socket)
if(not(status)) then
return false,brute.Error:new(response)
end
stdnse.print_debug( "Trying %s/%s ...", user, pass )
status, response = mysql.loginRequest( self.socket, { authversion = "post41", charset = response.charset }, user, pass, response.salt )
if status then
-- Add credentials for other mysql scripts to use
if nmap.registry.mysqlusers == nil then
nmap.registry.mysqlusers = {}
end
nmap.registry.mysqlusers[user]=pass
return true, brute.Account:new( user, pass, creds.State.VALID)
end
return false,brute.Error:new( "Incorrect password" )
end,
disconnect = function( self )
self.socket:close()
return true
end end
local output = stdnse.format_output(true, valid_accounts) }
return output action = function( host, port )
local status, result
local engine = brute.Engine:new(Driver, host, port)
engine.options.script_name = SCRIPT_NAME
status, result = engine:start()
return result
end end