diff --git a/nselib/vnc.lua b/nselib/vnc.lua index f28402c38..a48bbb006 100644 --- a/nselib/vnc.lua +++ b/nselib/vnc.lua @@ -380,6 +380,7 @@ VNC = { end, login_aten = function(self, username, password) + username = username or "" self.socket:send(username .. ("\0"):rep(24 - #username) .. password .. ("\0"):rep(24 - #password)) return self:check_auth_result() end, @@ -649,6 +650,7 @@ VNC = { end, login_plain = function(self, username, password) + username = username or "" local status = self.socket:send(bin.pack(">IIAA", #username, #password, username, password)) if not status then return false, "Failed to send plain auth" diff --git a/scripts/vnc-brute.nse b/scripts/vnc-brute.nse index 3178b8385..f1c3f79f5 100644 --- a/scripts/vnc-brute.nse +++ b/scripts/vnc-brute.nse @@ -11,6 +11,10 @@ Performs brute force password auditing against VNC servers. --- -- @see realvnc-auth-bypass.nse -- +-- @args vnc-brute.bruteusers If set, allows the script to iterate over +-- usernames for auth types that require it (plain, +-- SASL (not supported), and ATEN) Default: false, +-- since most VNC auth types are password-only. -- @usage -- nmap --script vnc-brute -p 5900 -- @@ -20,7 +24,7 @@ Performs brute force password auditing against VNC servers. -- | vnc-brute: -- | Accounts -- |_ 123456 => Valid credentials --- + -- Summary -- ------- -- x The Driver class contains the driver implementation used by the brute @@ -86,10 +90,10 @@ Driver = return false, err end - status, data = self.vnc:login( nil, password ) + status, data = self.vnc:login( username, password ) if ( status ) then - return true, creds.Account:new("", password, creds.State.VALID) + return true, creds.Account:new(username, password, creds.State.VALID) elseif ( not( data:match("Authentication failed") ) ) then local err = brute.Error:new( data ) -- This might be temporary, set the retry flag @@ -141,12 +145,13 @@ Driver = action = function(host, port) + local bruteusers = stdnse.get_script_args(SCRIPT_NAME .. ".bruteusers") local status, result local engine = brute.Engine:new(Driver, host, port ) engine.options.script_name = SCRIPT_NAME engine.options.firstonly = true - engine.options:setOption( "passonly", true ) + engine.options:setOption( "passonly", not bruteusers ) status, result = engine:start()