diff --git a/CHANGELOG b/CHANGELOG index 4bfaae919..0500fed75 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added the script vmauthd-brute that performs brute force password + guessing against the VMware authentication daemon. [Patrik] + Nmap 5.61TEST4 [2012-01-02] o [NSE] Added a new httpspider library which is used for recursively diff --git a/scripts/script.db b/scripts/script.db index 3a1af57c6..2f46f64e0 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -286,6 +286,7 @@ Entry { filename = "telnet-encryption.nse", categories = { "discovery", "safe", Entry { filename = "tftp-enum.nse", categories = { "discovery", "intrusive", } } Entry { filename = "unusual-port.nse", categories = { "safe", } } Entry { filename = "upnp-info.nse", categories = { "default", "discovery", "safe", } } +Entry { filename = "vmauthd-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "vnc-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "vnc-info.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "vuze-dht-info.nse", categories = { "discovery", "safe", } } diff --git a/scripts/vmauthd-brute.nse b/scripts/vmauthd-brute.nse new file mode 100644 index 000000000..490b097f3 --- /dev/null +++ b/scripts/vmauthd-brute.nse @@ -0,0 +1,116 @@ +description = [[ +Performs brute force password guessing against the VMWare Authentication Daemon (vmware-authd) +]] + +--- +-- @usage +-- nmap -p 902 --script vmauthd-brute +-- +-- @output +-- PORT STATE SERVICE +-- 902/tcp open iss-realsecure +-- | vmauthd-brute: +-- | Accounts +-- | root:00000 - Valid credentials +-- | Statistics +-- |_ Performed 183 guesses in 40 seconds, average tps: 4 +-- + +author = "Patrik Karlsson" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"brute", "intrusive"} + +require 'brute' +require 'shortport' + +portrule = shortport.port_or_service(902, {"ssl/vmware-auth", "vmware-auth"}, "tcp") + +local function fail(err) return ("\n ERROR: %s"):format(err) end + +Driver = { + + new = function(self, host, port, options) + local o = { host = host, port = port } + setmetatable(o, self) + self.__index = self + return o + end, + + connect = function(self) + self.socket = nmap.new_socket() + return self.socket:connect(self.host, self.port) + end, + + login = function(self, username, password) + local status, line = self.socket:receive_buf("\r\n") + if ( line:match("^220 VMware Authentication Daemon.*SSL Required") ) then + self.socket:reconnect_ssl() + end + + status = self.socket:send( ("USER %s\r\n"):format(username) ) + if ( not(status) ) then + local err = brute.Error:new( "Failed to send data to server" ) + err:setRetry( true ) + return false, err + end + + local status, response = self.socket:receive_buf("\r\n") + if ( not(status) or not(response:match("^331") ) ) then + local err = brute.Error:new( "Received unexpected response from server" ) + err:setRetry( true ) + return false, err + end + + status = self.socket:send( ("PASS %s\r\n"):format(password) ) + if ( not(status) ) then + local err = brute.Error:new( "Failed to send data to server" ) + err:setRetry( true ) + return false, err + end + status, response = self.socket:receive_buf("\r\n") + + if ( response:match("^230") ) then + return true, brute.Account:new(username, password, creds.State.VALID) + end + + return false, brute.Error:new( "Login incorrect" ) + end, + + disconnect = function(self) + return self.socket:close() + end + +} + +local function checkAuthd(host, port) + local socket = nmap.new_socket() + local status = socket:connect(host, port) + + if( not(status) ) then + return false, "Failed to connect to server" + end + + local status, line = socket:receive_buf("\r\n") + socket:close() + if ( not(status) ) then + return false, "Failed to receive response from server" + end + + if ( not( line:match("^220 VMware Authentication Daemon") ) ) then + return false, "Failed to detect VMWare Authentication Daemon" + end + return true +end + + +action = function(host, port) + local status, err = checkAuthd(host, port) + if ( not(status) ) then + return fail(err) + end + + local engine = brute.Engine:new(Driver, host, port) + engine.options.script_name = SCRIPT_NAME + status, result = engine:start() + return result +end