PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-09 06:01:28 +00:00
Code Issues Projects Releases Wiki Activity
Files
7cf7259f9d273d393c2033cdd4619c5557c51bee
nmap/scripts/RealVNC_auth_bypass.nse
kris c7eb8011d9 NSE now has a "default" category for scripts. This category holds the set 
of scripts chosen from when using -sC (but it's still just another category
and so can be chosen with --script like any other).

On top of updating the docs with information about this new category, I've
also updated sections to emphasize that the "default" category, -sC and -A
are considered intrusive and should not be run against target networks
without permission.

The new list is very similar to the previous "safe,intrusive" list:

Added: finger, ircServerInfo, RealVNC_auth_bypass
Removed: HTTPpasswd

Here are the 21 scripts in this new category:

anonFTP
dns-test-open-recursion
finger
ftpbounce
HTTPAuth
HTTP_open_proxy
ircServerInfo
MSSQLm
MySQLinfo
nbstat
RealVNC_auth_bypass
robots
rpcinfo
showHTMLTitle
showOwner
SMTPcommands
SNMPsysdesr
SSHv1-support
SSLv2-support
UPnP-info
zoneTrans
2008-05-28 07:16:32 +00:00

56 lines
1.1 KiB
Lua
Raw Blame History

id="RealVNC Authentication Bypass (CVE-2006-2369)"
description="Checks to see if the VNC Server is vulnerable to the RealVNC authentication bypass."
author = "Brandon Enright <bmenrigh@ucsd.edu>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "backdoor"}
require "shortport"
portrule = shortport.port_or_service(5900, "vnc")
action = function(host, port)
local socket = nmap.new_socket()
local result
local status = true
socket:connect(host.ip, port.number, port.protocol)
status, result = socket:receive_lines(1)
if (result == "TIMEOUT") then
socket:close()
return
end
socket:send("RFB 003.008\n")
status, result = socket:receive_bytes(2)
if (result == "TIMEOUT") then
socket:close()
return
end
if (result ~= "\001\002") then
socket:close()
return
end
socket:send("\001")
status, result = socket:receive_bytes(4)
if (result == "TIMEOUT") then
socket:close()
return
end
if (result ~= "\000\000\000\000") then
socket:close()
return
end
socket:close()
return "Vulnerable"
end
Reference in New Issue View Git Blame Copy Permalink