http://seclists.org/nmap-dev/2013/q3/249
- Multi-threaded (thanks to nselib/brute.lua)
- Can automatically reduce number of threads if it senses that the
target supports less than what brute.lua wants to use. Without this
feature the script tends to bail out because brute.lua default of 10
threads is too much for a lot of telnet targets. This saves the user
the trouble of finding out how much the target can take before
launching the script.
- Uses connection pooling for sending multiple login attempts across
the same connection. This significantly improves performance.
- Supports password-only logins.
Other changes:
- Fixed support for Windows telnet service.
Added support for Netgear RM356.
- Improved accuracy of target state detection.
Tested on:
- Cisco IOS
- Linux telnetd
- Windows telnet service
- Digital Sprite 2
- Nortel Contivity
- Netgear RM356
- Hummingbird telnetd
This prevents nsock from iterating over the whole list of events at
each runloop, thus improving performance.
It made it necessary to have pointers from the msevents to the event
lists they belong to. The patch therefore also changes gh_list from
autonomous containers to embedded structures.
Added unit tests accordingly and cosmetic changes to make things look
more consistent.
Having this entry made it appear as if there was a search criterion
named for the empty string; i.e., a string like ":foobar" would be
parsed as an operator "" with an argument "foobar". There was no match
function defined for the empty string, which led to this crash:
Version: 6.25
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/zenmapGUI/ScanInterface.py", line 247, in filter_hosts
self.inventory.apply_filter(filter_string)
File "/usr/lib/python2.7/dist-packages/zenmapCore/NetworkInventory.py", line 502, in apply_filter
if not self._match_all_args(host, operator, args):
File "/usr/lib/python2.7/dist-packages/zenmapCore/NetworkInventory.py", line 452, in _match_all_args
if positive != self.__getattribute__("match_%s" % operator)(host, arg):
AttributeError: 'FilteredNetworkInventory' object has no attribute 'match_'
I did some quick tests and plain keyword searching (with no colon) seems
to still work. I'm not sure why the "" entry was ever present.
Reported by Kris Paernell.
http://seclists.org/nmap-dev/2013/q3/38
If you ran the (fortunately non-default) http-domino-enum-passwords
script with the (fortunately also non-default)
domino-enum-passwords.idpath parameter against a malicious server,
it could cause an arbitrarily named file to to be written to the
client system. Thanks to Trustwave researcher Piotr Duszynski for
discovering and reporting the problem. We've fixed that script, and
also updated several other scripts to use a new
stdnse.filename_escape function for extra safety. This breaks our
record of never having a vulnerability in the 16 years that Nmap has
existed, but that's still a fairly good run. [David, Fyodor]
This is the site-local prefix deprecated by RFC 3879. Suggested by Marek
Majkowski, who noticed that the prefix was included in Tor's
tor_addr_is_internal_ function.
Removed some non-ANSI-C strftime format strings ("%F") and
locale-dependent formats ("%c") from NSE scripts and libraries.
C99-specified %F was noticed by Alex Weber
(http://seclists.org/nmap-dev/2013/q2/300)
http://seclists.org/nmap-dev/2013/q2/101
- Changed line termination from \r\0 to \r\n.
- Changed response to the telnet server ECHO "will" / "will not" from
outright "do not" to an agreement with whatever the server proposes
to make the script work with some daemons.
- Removed use of receive_lines(), which was causing either time-outs or
unnecessary connection tear-downs due to waiting on a line
termination. This change improved the script success rate and/or
performance (5x in some cases).
- Exposed the connection time-out value as a configurable parameter
(telnet-brute.timeout). It defaults to 5s.
- Improved handling of connection errors, which were occassionally
causing credential combinations to be skipped.
- Updated the logged-in status detection logic to make the script work
with some daemons.
- Avoided overlapping connections to make the script work with daemons
that allow only one connection at a time.
- Replaced a locally defined routine with stdnse.string_or_blank() for
printing out credentials. Changed printing of tested credentials in
the debug output to be consistent with script results.
- Script will now report if it senses password-only authentication.
- Implemented detailed debug messages (e.g. "Sending password") at
debug level 3 (configurable).
- Expanded the script documentation.
Kenneth Frazier reported that sometimes Nmap would use name servers from
inactive interfaces. Let's try checking the interface GUIDs against
those known by libpcap.
http://seclists.org/nmap-dev/2013/q1/292
