PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 12:41:29 +00:00
Code Issues Projects Releases Wiki Activity
Files
54bd372ccfc970f6aa93b577e8583d75e5a2df49
nmap/scripts/netbus-auth-bypass.nse
dmiller 6139ed22e7 Replace host.ip, port.number with host, port 
In most cases (e.g. any of the nmap.socket operations), functions can
take full host and port tables instead of just host.ip and port.number.
This makes for cleaner-looking code and easier extensibility if we
decide to check for a protocol on both TCP and UDP, for instance.
2015-02-18 14:38:42 +00:00

63 lines
1.8 KiB
Lua
Raw Blame History

local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
Checks if a NetBus server is vulnerable to an authentication bypass
vulnerability which allows full access without knowing the password.
For example a server running on TCP port 12345 on localhost with
this vulnerability is accessible to anyone. An attacker could
simply form a connection to the server ( ncat -C 127.0.0.1 12345 )
and login to the service by typing Password;1; into the console.
]]
---
-- @usage
-- nmap -p 12345 --script netbus-auth-bypass <target>
--
-- @output
-- 12345/tcp open netbus
-- |_netbus-auth-bypass: Vulnerable
author = "Toni Ruottu"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"auth", "safe", "vuln"}
dependencies = {"netbus-version", "netbus-brute", "netbus-info"}
portrule = shortport.port_or_service (12345, "netbus", {"tcp"})
action = function( host, port )
local socket = nmap.new_socket()
local status, err = socket:connect(host, port)
if not status then
return
end
local buffer, _ = stdnse.make_buffer(socket, "\r")
_ = buffer()
if not (_ and _:match("^NetBus")) then
stdnse.debug1("Not NetBus")
return nil
end
-- The first argument of Password is the super-login bit.
-- On vulnerable servers any password will do as long as
-- we send the super-login bit. Regular NetBus has only
-- one password. Thus, if we can login with two different
-- passwords using super-login, the server is vulnerable.
socket:send("Password;1;\r") --password: empty
if buffer() ~= "Access;1" then
return
end
socket:send("Password;1; \r") --password: space
if buffer() == "Access;1" then
return "Vulnerable"
end
return "Not vulnerable, but password is empty"
end
Reference in New Issue View Git Blame Copy Permalink