Home page logo
/

nmap-dev logo Nmap Development mailing list archives

New http brute scripts: http-wordpress-brute and http-joomla-brute
From: Paulino Calderon <paulino () calderonpale com>
Date: Thu, 09 Jun 2011 01:07:40 -0700

Nmap-dev,

    I'm attaching my latest http brute scripts:

* http-wordpress-brute: Brute force password auditing for Wordpress installations:

description = [[
Performs a brute force password attack against Wordpress installations.

Wordpress default uri and form names:
* Default uri:<code>wp-login.php</code>
* Default uservar: <code>log</code>
* Default passvar: <code>pwd</code>
]]

---
-- @usage
-- nmap -p80 --script http-wordpress-brute
-- --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com, -- http-wordpress-brute.threads=3,brute.firstonly=true' <ip>
--
-- This script uses the unpwdb and brute libraries to perform password
-- guessing. Any successful guesses are stored in the nmap registry, under
-- the nmap.registry.credentials.http key for other scripts to use.
--
-- @output
-- PORT     STATE SERVICE REASON
-- 80/tcp   open  http    syn-ack
-- | http-wordpress-brute:
-- |   Accounts
-- |     0xdeadb33f:god => Login correct
-- |   Statistics
-- |_    Perfomed 103 guesses in 17 seconds, average tps: 6
--
--
-- @args http-wordpress-brute.uri points to the file 'wp-login.php'
-- @args http-wordpress-brute.hostname sets the host header in case of virtual
--       hosting
-- @args http-wordpress-brute.uservar sets the http-variable name that holds the
--         username used to authenticate. Defaults are used if not set.
-- @args http-wordpress-brute.passvar sets the http-variable name that holds the
--         password used to authenticate. Defaults are used if not set.
-- @args http-wordpress-brute.threads sets the number of threads. Default: 3
--
-- Other useful arguments when using this script are:
-- * http.useragent = String - User Agent used in HTTP requests
-- * brute.firstonly = Boolean - Stop attack when the first credentials are found
-- * brute.mode = user/creds/pass - Username password iterator
-- * passdb = String - Path to password list
-- * userdb = String - Path to user list
--


* http-joomla-brute: Brute force password auditing for Joomla installations:
description = [[
Performs a brute force password attack against Joomla installations.

This script initially reads the session cookie and parses the security token to perfom the brute force password auditing.

Joomla's default uri and form names:
* Default uri:<code>/administrator/index.php</code>
* Default uservar: <code>username</code>
* Default passvar: <code>passwd</code>
]]

---
-- @usage
-- nmap -p80 --script http-joomla-brute
-- --script-args 'userdb=users.txt,passdb=passwds.txt,http-joomla-brute.hostname=domain.com, -- http-joomla-brute.threads=3,brute.firstonly=true' <ip/domain>
--
-- This script uses the unpwdb and brute libraries to perform password
-- guessing. Any successful guesses are stored in the nmap registry, under
-- the <code>nmap.registry.credentials.http</code> key for other scripts to use.
--
-- @output
-- PORT     STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-joomla-brute:
-- |   Accounts
-- |     xdeadbee:i79eWBj07g => Login correct
-- |   Statistics
-- |_    Perfomed 499 guesses in 301 seconds, average tps: 0
--
-- @args http-joomla-brute.uri Path to authentication script. Default: /administrator/index.php
-- @args http-joomla-brute.hostname Virtual Hostname Header
-- @args http-joomla-brute.uservar sets the http-variable name that holds the
--         username used to authenticate. Default: username
-- @args http-joomla-brute.passvar sets the http-variable name that holds the
--         password used to authenticate. Default: passwd
-- @args http-joomla-brute.threads sets the number of threads. Default: 3
--
-- Other useful arguments when using this script are:
-- * http.useragent = String - User Agent used in HTTP requests
-- * brute.firstonly = Boolean - Stop attack when the first credentials are found
-- * brute.mode = user/creds/pass - Username password iterator
-- * passdb = String - Path to password list
-- * userdb = String - Path to user list
--


Thanks for the feedback.

* Based on Patrik Karlsson's http-form-brute

--
Paulino Calderón Pale
Web:http://calderonpale.com
Twitter:http://www.twitter.com/paulinocaIderon

Attachment: http-joomla-brute.nse
Description:

Attachment: http-wordpress-brute.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
  • New http brute scripts: http-wordpress-brute and http-joomla-brute Paulino Calderon (Jun 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]