mirror of
https://github.com/nmap/nmap.git
synced 2025-12-06 04:31:29 +00:00
107 lines
2.6 KiB
Lua
107 lines
2.6 KiB
Lua
description = [[
|
|
Tries to log into a POP3 account by guessing usernames and passwords.
|
|
]]
|
|
|
|
---
|
|
-- @args pop3loginmethod The login method to use: <code>"USER"</code>
|
|
-- (default), <code>"SASL-PLAIN"</code>, <code>"SASL-LOGIN"</code>,
|
|
-- <code>"SASL-CRAM-MD5"</code>, or <code>"APOP"</code>.
|
|
--
|
|
-- @output
|
|
-- PORT STATE SERVICE
|
|
-- 110/tcp open pop3
|
|
-- | pop3-brute: root : password
|
|
|
|
author = "Philip Pickering"
|
|
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
|
|
|
categories = {"intrusive", "brute"}
|
|
|
|
require 'pop3'
|
|
require 'shortport'
|
|
require 'unpwdb'
|
|
|
|
portrule = shortport.port_or_service({110, 995}, {"pop3","pop3s"})
|
|
|
|
action = function(host, port)
|
|
local pMeth = nmap.registry.args.pop3loginmethod
|
|
if (not pMeth) then pMeth = nmap.registry.pop3loginmethod end
|
|
if (not pMeth) then pMeth = "USER" end
|
|
|
|
local login
|
|
local additional
|
|
|
|
local stat = pop3.stat
|
|
|
|
if (pMeth == "USER") then
|
|
login = pop3.login_user
|
|
elseif (pMeth == "SASL-PLAIN") then
|
|
login = pop3.login_sasl_plain
|
|
elseif (pMeth == "SASL-LOGIN") then
|
|
login = login_sasl_login
|
|
elseif (pMeth == "SASL-CRAM-MD5") then
|
|
login = login_sasl_crammd5
|
|
elseif (pMeth == "APOP") then
|
|
login = login_apop
|
|
end
|
|
|
|
|
|
local status
|
|
local line
|
|
local socket = nmap.new_socket()
|
|
local opts = {timeout=10000, recv_before=true}
|
|
|
|
local socket, nothing, bopt, line = comm.tryssl(host, port, "" , opts)
|
|
|
|
if not socket then return end -- no connection
|
|
if not stat(line) then return end -- no pop-connection
|
|
|
|
local apopChallenge = string.match(line, "<[%p%w]+>")
|
|
|
|
if pMeth == "APOP" then
|
|
additional = apopChallenge
|
|
end
|
|
|
|
local getUser
|
|
local _
|
|
|
|
status, getUser = unpwdb.usernames()
|
|
if (not status) then return end
|
|
|
|
|
|
local currUser = getUser()
|
|
while currUser do
|
|
local getPW
|
|
status, getPW = unpwdb.passwords()
|
|
if (not status) then return end
|
|
|
|
local currPw = getPW()
|
|
|
|
while currPw do
|
|
local pstatus
|
|
local perror
|
|
|
|
pstatus, perror = login(socket, currUser, currPw, additional)
|
|
|
|
if (pstatus) then
|
|
return currUser .. " : " .. currPw
|
|
elseif (perror == pop3.err.pwError) then
|
|
currPw = getPW()
|
|
elseif (perror == pop3.err.userError) then
|
|
currPw = nil
|
|
else
|
|
local socstatus = socket:connect(host, port, bopt)
|
|
if not socstatus
|
|
then return
|
|
else _, line = socket:receive()
|
|
if not stat(line) then return end -- no connection
|
|
end
|
|
end
|
|
end
|
|
currUser = getUser()
|
|
getPW("reset")
|
|
end
|
|
return -- "wrong pw"
|
|
|
|
end
|