From b27c8e29d7366a852f62b353f88831d0ec8a262e Mon Sep 17 00:00:00 2001 From: fyodor Date: Sat, 15 Jan 2011 21:28:45 +0000 Subject: [PATCH] Apply a patch from Toni Ruottu with some small misc. improvements to the netbus-* scripts. Also I changed netbus-auth-bypass to the safe category as recommended by Toni --- scripts/netbus-auth-bypass.nse | 7 +++++-- scripts/netbus-brute.nse | 14 +++++++++++--- scripts/netbus-info.nse | 18 ++++++++++++------ scripts/netbus-version.nse | 5 ++++- 4 files changed, 32 insertions(+), 12 deletions(-) diff --git a/scripts/netbus-auth-bypass.nse b/scripts/netbus-auth-bypass.nse index 6640b4668..69e63e7fa 100644 --- a/scripts/netbus-auth-bypass.nse +++ b/scripts/netbus-auth-bypass.nse @@ -10,13 +10,16 @@ and login to the service by typing Password;1; into the console. ]] --- +-- @usage +-- nmap -p 12345 --script netbus-auth-bypass +-- -- @output -- 12345/tcp open netbus -- |_netbus-auth-bypass: Vulnerable author = "Toni Ruottu" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" -categories = {"auth", "intrusive", "vuln"} +categories = {"auth", "safe", "vuln"} require("nmap") require("stdnse") @@ -50,6 +53,6 @@ action = function( host, port ) if buffer() == "Access;1" then return "Vulnerable" end - return + return "Not vulnerable, but password is empty" end diff --git a/scripts/netbus-brute.nse b/scripts/netbus-brute.nse index 872bdb693..9fdaa9341 100644 --- a/scripts/netbus-brute.nse +++ b/scripts/netbus-brute.nse @@ -3,6 +3,9 @@ Performs brute force password auditing about the Netbus backdoor ("remote admini ]] --- +-- @usage +-- nmap -p 12345 --script netbus-brute +-- -- @output -- 12345/tcp open netbus -- |_netbus-brute: password123 @@ -36,13 +39,18 @@ action = function( host, port ) local login = buffer() if login == "Access;1" then -- Store the password for other netbus scripts - nmap.registry.netbuspassword=password - + local key = string.format("%s:%d", host.ip, port.number) + if not nmap.registry.netbuspasswords then + nmap.registry.netbuspasswords = {} + end + nmap.registry.netbuspasswords[key] = password + if password == "" then + return "" + end return string.format("%s", password) end end socket:close() - end diff --git a/scripts/netbus-info.nse b/scripts/netbus-info.nse index 599a09e35..a39205bf2 100644 --- a/scripts/netbus-info.nse +++ b/scripts/netbus-info.nse @@ -18,6 +18,9 @@ and an smtp-server used for notification delivery. ]] --- +-- @usage +-- nmap -p 12345 --script netbus-info --script-args netbus-info.password= +-- -- @output -- 12345/tcp open netbus -- | netbus-info: @@ -41,6 +44,8 @@ and an smtp-server used for notification delivery. -- | Wave: 0 -- | Synth: 0 -- |_ Cd: 0 +-- +-- @args netbus-info.password The password used for authentication author = "Toni Ruottu" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" @@ -123,12 +128,14 @@ local function format_volume(volume) end action = function( host, port ) - - local password = nmap.registry.netbuspassword - if password == nil then - password = "" + local password = nmap.registry.args[SCRIPT_NAME .. ".password"] + if not password and nmap.registry.netbuspasswords then + local key = string.format("%s:%d", host.ip, port.number) + password = nmap.registry.netbuspasswords[key] + end + if not password then + password = "" end - local socket = nmap.new_socket() socket:set_timeout(5000) local status, err = socket:connect(host.ip, port.number) @@ -153,7 +160,6 @@ action = function( host, port ) socket:close() local response = {} - table.insert(response, "") table.insert(response, format_acl(acl)) table.insert(response, format_apps(apps)) table.insert(response, format_info(info)) diff --git a/scripts/netbus-version.nse b/scripts/netbus-version.nse index e080f5185..b7a9ffbbe 100644 --- a/scripts/netbus-version.nse +++ b/scripts/netbus-version.nse @@ -4,6 +4,9 @@ that mimes NetBus. ]] --- +-- @usage +-- nmap -sV -p 12345 --script netbus-version +-- -- @output -- 12345/tcp open netbus Netbuster (honeypot) @@ -15,7 +18,7 @@ require("nmap") require("stdnse") require("shortport") -portrule = shortport.version_port_or_service (12345, "netbus", {"tcp"}) +portrule = shortport.version_port_or_service ({}, "netbus", {"tcp"}) action = function( host, port )