PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 12:41:29 +00:00
Code Issues Projects Releases Wiki Activity
Files
90a2819a04ca301264ce06df938712beb286d76f
nmap/scripts/netbus-auth-bypass.nse
david 90a2819a04 o [NSE] Added scripts by Toni Ruotto communicating with the NetBus 
remote administration/backdoor program.
  - netbus-info: gets configuration information.
  - netbus-brute: guesses passwords.
  - netbus-version: distinguishes NetBus from NetBuster, a program
    that mimics the protocol but doesn't actually allow any
    operations.
  - netbus-auth-bypass: Checks for a bug in the server that allows
    connecting without a password.
2010-12-13 18:00:02 +00:00

56 lines
1.5 KiB
Lua
Raw Blame History

description = [[
Checks if a NetBus server is vulnerable to authentication bypass.
Servers with this vulnerability can be accessed without knowing
the password.
For example a server running on TCP port 12345 on localhost with
this vulnerability is accessible to anyone. An attacker could
simply form a connection to the server ( ncat -C 127.0.0.1 12345 )
and login to the service by typing Password;1; into the console.
]]
---
-- @output
-- 12345/tcp open netbus
-- |_netbus-auth-bypass: Vulnerable
author = "Toni Ruottu"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "vuln", "safe"}
require("nmap")
require("stdnse")
require("shortport")
dependencies = {"netbus-version", "netbus-brute", "netbus-info"}
portrule = shortport.port_or_service (12345, "netbus", {"tcp"})
action = function( host, port )
local socket = nmap.new_socket()
local status, err = socket:connect(host.ip, port.number)
if not status then
return
end
local buffer, _ = stdnse.make_buffer(socket, "\r")
buffer() --discard banner
-- The first argument of Password is the super-login bit.
-- On vulnerable servers any password will do as long as
-- we send the super-login bit. Regular NetBus has only
-- one password. Thus, if we can login with two different
-- passwords using super-login, the server is vulnerable.
socket:send("Password;1;\r") --password: empty
if buffer() ~= "Access;1" then
return
end
socket:send("Password;1; \r") --password: space
if buffer() == "Access;1" then
return "Vulnerable"
end
return
end
Reference in New Issue View Git Blame Copy Permalink