Add omp2-brute and omp2-enum-targets from Henri Doreau.

2026-01-02 21:09:00 +00:00 · 2011-04-20 23:44:16 +00:00
parent 3447e2a6a2
commit fef214063a
5 changed files with 393 additions and 0 deletions
--- a/scripts/omp2-brute.nse
+++ b/scripts/omp2-brute.nse
@@ -0,0 +1,83 @@
+description = [[
+Performs brute force password auditing against the OpenVAS manager using OMPv2.
+]]
+
+---
+-- @usage
+-- nmap -p 9390 --script omp2-brute <target>
+--
+-- @output
+-- PORT     STATE SERVICE REASON
+-- 9390/tcp open  openvas syn-ack
+-- | svn-brute:
+-- |   Accounts
+-- |_    admin:secret => Login correct
+--
+
+author = "Henri Doreau"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"auth", "intrusive"}
+
+require("omp2")
+require("nmap")
+require("brute")
+require("shortport")
+
+
+portrule = shortport.port_or_service(9390, "openvas")
+
+
+Driver = {
+  new = function(self, host, port)
+    local o = {}
+    setmetatable(o, self)
+    self.__index = self
+    o.host = host
+    o.port = port
+    o.session = omp2.Session:new()
+    return o
+  end,
+
+  --- Connects to the OpenVAS Manager
+  --
+  -- @return status boolean for connection success/failure
+  -- @return err string describing the error on failure
+  connect = function(self)
+    return self.session:connect(self.host, self.port)
+  end,
+
+  --- Closes connection
+  --
+  -- @return status boolean for closing success/failure
+  disconnect = function(self)
+    return self.session:close()
+  end,
+
+  --- Attempts to login the the OpenVAS Manager using a given username/password
+  -- couple. Store the credentials in the registry on success.
+  --
+  -- @param username string containing the login username
+  -- @param password string containing the login password
+  -- @return status boolean for login success/failure
+  -- @return err string describing the error on failure
+  login = function(self, username, password)
+    if self.session:authenticate(username, password) then
+      -- store the account for possible future use
+      omp2.add_account(self.host, username, password)
+      return true, brute.Account:new(username, password, "OPEN")
+    else
+      return false, brute.Error:new("login failed")
+    end
+  end,
+
+  --- Deprecated
+  check = function(self)
+    return true
+  end,
+}
+
+action = function(host, port)
+  local status, result = brute.Engine:new(Driver, host, port):start()
+  return result
+end
+
--- a/scripts/omp2-enum-targets.nse
+++ b/scripts/omp2-enum-targets.nse
@@ -0,0 +1,125 @@
+description = [[
+Attempts to get the list of targets from an OpenVAS Manager server.
+
+The script authenticates on the manager using provided or previously cracked
+credentials and gets the list of defined targets for each account.
+
+These targets will be added to the scanning queue in case
+<code>newtargets</code> global variable is set.
+]]
+
+---
+-- @usage
+-- nmap -p 9390 --script omp2-brute,omp2-enum-targets <target>
+--
+-- @usage
+-- nmap -p 9390 --script omp2-enum-targets --script-args omp2.username=admin,omp2.password=secret <target>
+--
+-- @output
+-- PORT     STATE SERVICE
+-- 9390/tcp open  openvas
+-- | omp2-enum-targets:
+-- |
+-- |  Targets for account admin:
+-- |  TARGET              HOSTS
+-- |  Sales network       192.168.20.0/24
+-- |  Production network  192.168.30.0/24
+-- |_ Firewall            192.168.1.254
+--
+
+
+author = "Henri Doreau"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discovery", "safe"}
+dependencies = {"omp2-brute"}
+
+
+require("tab")
+require("omp2")
+require("target")
+require("stdnse")
+require("shortport")
+
+
+portrule = shortport.port_or_service(9390, "openvas")
+
+
+--- Return the list of targets defined for a given user
+--
+-- @param host the target host table
+-- @param port the targetted OMP port
+-- @param username the username to use to login
+-- @param password the password to use to login
+-- @return the list of targets for this user or nil
+local function account_enum_targets(host, port, username, password)
+  local targets
+  local session = omp2.Session:new()
+
+  local status, err = session:connect(host, port)
+
+  if not status then
+    stdnse.print_debug("%s: connection failure (%s)", SCRIPT_NAME, err)
+    return nil
+  end
+
+  if session:authenticate(username, password) then
+    targets = session:ls_targets()
+  else
+    stdnse.print_debug("%s: authentication failure (%s:%s)", SCRIPT_NAME, username, password)
+  end
+
+  session:close()
+
+  return targets
+end
+
+--- Generate the output string representing the list of discovered targets
+--
+-- @param targets the list of targets as a name->hosts mapping
+-- @return the array as a formatted string
+local function report(targets)
+  local outtab = tab.new()
+
+  tab.add(outtab, 1, "TARGET")
+  tab.add(outtab, 2, "HOSTS")
+  tab.nextrow(outtab)
+
+  for name, hosts in pairs(targets) do
+    tab.addrow(outtab, name, hosts)
+  end
+
+  return tab.dump(outtab)
+end
+
+action = function(host, port)
+  local results = {}
+  local credentials = omp2.get_accounts(host)
+
+  if not credentials then
+    -- unable to authenticate on the server
+    return "No valid account available!"
+  end
+
+  for _, account in pairs(credentials) do
+
+    local username, password = account.username, account.password
+
+    local targets = account_enum_targets(host, port, username, password)
+
+    if targets ~= nil then
+      table.insert(results, "\nTargets for account " .. username .. ":")
+      table.insert(results, report(targets))
+    else
+      table.insert(results, "\nNo targets found for account " .. username)
+    end
+
+    if target.ALLOW_NEW_TARGETS and targets ~= nil then
+      stdnse.print_debug("%s: adding new targets %s", SCRIPT_NAME, stdnse.strjoin(", ", targets))
+      target.add(unpack(targets))
+    end
+
+  end
+
+  return stdnse.format_output(true, results)
+end
+
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -119,6 +119,8 @@ Entry { filename = "nping-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "nrpe-enum.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "ntp-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "ntp-monlist.nse", categories = { "discovery", "intrusive", } }
+Entry { filename = "omp2-brute.nse", categories = { "auth", "intrusive", } }
+Entry { filename = "omp2-enum-targets.nse", categories = { "discovery", "safe", } }
 Entry { filename = "oracle-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "oracle-enum-users.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "oracle-sid-brute.nse", categories = { "auth", "intrusive", } }