o [NSE] Added one script (vnc-brute) that performs password guessing against

VNC using the new brute library and another (vnc-info) that lists supported
  security mechanisms. [Patrik]

scripts/script.db

@@ -127,5 +127,7 @@ Entry { filename = "ssl-enum-ciphers.nse", categories = { "discovery", "intrusiv
 Entry { filename = "sslv2.nse", categories = { "default", "safe", } }
 Entry { filename = "telnet-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "upnp-info.nse", categories = { "default", "safe", } }
+Entry { filename = "vnc-brute.nse", categories = { "auth", "intrusive", } }
+Entry { filename = "vnc-info.nse", categories = { "discovery", "safe", } }
 Entry { filename = "whois.nse", categories = { "discovery", "external", "safe", } }
 Entry { filename = "x11-access.nse", categories = { "auth", "default", "safe", } }

scripts/vnc-brute.nse

@@ -0,0 +1,141 @@
+description = [[
+Performs password guessing against VNC
+]]
+
+---
+-- @usage
+-- nmap --script vnc-brute -p 5900 <host>
+--
+-- @output
+-- PORT     STATE  SERVICE REASON
+-- 5900/tcp open   vnc     syn-ack
+-- | vnc-brute:  
+-- |   Accounts
+-- |_    123456 => Login correct
+--
+-- Summary
+-- -------
+--   x The Driver class contains the driver implementation used by the brute
+--     library
+--
+--
+
+--
+-- Version 0.1
+-- Created 07/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+--
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "auth"}
+
+require 'shortport'
+require 'brute'
+require 'vnc'
+
+portrule = shortport.port_or_service(5901, "vnc", "tcp", "open")
+
+Driver = 
+{
+
+	new = function(self, host, port)
+		local o = {}
+       	setmetatable(o, self)
+        self.__index = self
+		o.host = host
+		o.port = port
+		return o
+	end,
+	
+	connect = function( self )
+		local status, data 
+		self.vnc = vnc.VNC:new( self.host.ip, self.port.number )
+		status, data = self.vnc:connect()
+		if ( not(status) ) then
+			local err = brute.Error:new( "VNC connect failed" )
+			-- This might be temporary, set the retry flag
+			err:setRetry( true )
+			return false, err
+		end
+		return true
+	end,
+	--- Attempts to login to the VNC server
+	--
+	-- @param username string containing the login username
+	-- @param password string containing the login password
+	-- @return status, true on success, false on failure
+	-- @return brute.Error object on failure
+	--         brute.Account object on success
+	login = function( self, username, password )
+
+		local status, data = self.vnc:handshake()
+		if ( not(status) and data:match("Too many authentication failures") ) then
+			local err = brute.Error:new( data )
+			err:setAbort( true )
+			return false, err			
+		elseif ( not(status) ) then
+			local err = brute.Error:new( "VNC handshake failed" )
+			-- This might be temporary, set the retry flag
+			err:setRetry( true )
+			return false, err
+		end
+
+		status, data = self.vnc:login( nil, password )
+
+		if ( status ) then
+			return true, brute.Account:new("", password, "OPEN")
+		elseif ( not( data:match("Authentication failed") ) ) then
+			local err = brute.Error:new( data )
+			-- This might be temporary, set the retry flag
+			err:setRetry( true )
+			return false, err			
+		end
+
+		return false, brute.Error:new( "Incorrect password" )
+
+	end,
+	
+	disconnect = function( self )
+		self.vnc:disconnect()
+	end,
+	
+	check = function( self )
+		local vnc = vnc.VNC:new( self.host.ip, self.port.number )
+		local status, data 
+
+		status, data = vnc:connect()
+		if ( not(status) ) then
+			return stdnse.format_output( false, data )
+		end
+
+		status, data = vnc:handshake()
+		if ( not(status) ) then
+			return stdnse.format_output( false, data )
+		end
+
+		if ( vnc:supportsSecType(vnc.sectypes.NONE) ) then
+			return false, "No authentication required"
+		end
+
+		status, data = vnc:login( nil, "is_sec_mec_supported?" )
+		if ( data:match("The server does not support.*security type") ) then
+			return stdnse.format_output( false, "  \n  " .. data )
+		end
+				
+		return true
+	end,
+	
+}
+
+
+action = function(host, port)
+	local status, result 
+	local engine = brute.Engine:new(Driver, host, port )
+	
+	engine.options.firstonly = true
+	engine.options:setOption( "passonly", true )
+	
+	status, result = engine:start()
+
+	return result
+end

scripts/vnc-info.nse

@@ -0,0 +1,57 @@
+description = [[
+Queries a VNC server for the supported security types
+]]
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discovery", "safe"}
+
+---
+-- @output
+-- PORT    STATE SERVICE
+-- 5900/tcp open  vnc
+-- | vnc-info:  
+-- |   Protocol version: 3.889
+-- |   Security types:
+-- |     Mac OS X security type (30)
+-- |_    Mac OS X security type (35)
+--
+
+-- Version 0.2
+
+-- Created 07/07/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+-- Revised 08/14/2010 - v0.2 - changed so that errors are reported even without debugging
+
+require 'shortport'
+require 'vnc'
+
+portrule = shortport.port_or_service( {5900, 5901, 5902} , "vnc", "tcp", "open")
+
+action = function(host, port)
+
+	local vnc = vnc.VNC:new( host.ip, port.number )
+	local status, data
+	local result = {}
+	
+	status, data = vnc:connect()
+	if ( not(status) ) then	return "  \n  ERROR: " .. data end
+	
+	status, data = vnc:handshake()
+	if ( not(status) ) then	return "  \n  ERROR: " .. data end
+
+	status, data = vnc:getSecTypesAsStringTable()
+	if ( not(status) ) then	return "  \n  ERROR: " .. data end
+
+	table.insert(result, ("Protocol version: %s"):format(vnc:getProtocolVersion()) )
+
+	if ( data and #data ~= 0 ) then
+		data.name = "Security types:"
+		table.insert( result, data )
+	end
+	
+	if ( vnc:supportsSecType(vnc.sectypes.NONE) ) then
+		table.insert(result, "WARNING: Server does not require authentication")
+	end
+	
+	return stdnse.format_output(status, result)
+end