Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks
From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 10 Nov 2011 08:23:34 +0100

On Thu, Nov 10, 2011 at 3:09 AM, Vlatko Kosturjak <kost () linux hr> wrote:

Hello!

Some time ago, I've sent link to the NSE scripts for guessing passwords on
popular vulnerability scanners on github:
https://github.com/kost/vulnscan-pwcrack

I have rewritten all those scripts to use new brute library. I have used
some existing NSE examples (mostly from Patrick) from Nmap SVN while doing
that.

As I see people are doing already done job (Henry OMP, Patrick NTP),
I'm sending these scripts directly to the mailing list now - hopefully for
inclusion.

So, the scripts are (I guess they are self descriptive):
metasploit-xmlrpc-brute.nse
nessus-ntp-brute.nse
nessus-xmlrpc-brute.nse
nexpose-brute.nse
openvas-omp-brute.nse
openvas-otp-brute.nse

Since Nmap does not detect all the services correctly, I'm sending patch
to the
nmap services probes against the latest SVN version.

Still, there are some issues - mainly with nessus-xmlrpc-brute.nse as I
have
to force SSL in http.post by modifying NSE source in order to execute the
script correctly. Looks like Nmap is trying to talk HTTP to the HTTPS
server
when using http.post in NSE although it detected it as ssl tunneled service
in version scan phase.

If these scripts look fine, i have some *enum scripts ready to send as well
(but these scripts depend on the scripts in attachment).

BTW Patrick, I see you have problems with threads in NTP brute. I have
tested
my version of the script and I'm not experiencing that. Could you tell me
what I need to do to reproduce that? Also, if you check my script - I have
sacrificed robustness of the script for the speed.

Let me know your comments,
--
Vlatko Kosturjak - KoSt

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Thanks Kost!

I'll check your scripts out later today!
In regards to Nessus NTP I believe I was seeing that the account could not
be reliably detected in case the dictionary was big and the brute ran with
multiple threads for a while. I'll see if I can find that out for you and
let you know.

//Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault