Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapPatrik KarlssonNMAP:AJP-BRUTE.NSE
HistoryMay 14, 2012 - 9:30 p.m.

ajp-brute NSE Script

2012-05-1421:30:24
Patrik Karlsson
nmap.org
461

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Performs brute force passwords auditing against the Apache JServ protocol. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers.

Script Arguments

ajp-brute.path

URL path to request. Default: /

creds.[service], creds.global

See the documentation for the creds library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap -p 8009 <ip> --script ajp-brute

Script Output

PORT     STATE SERVICE
8009/tcp open  ajp13
| ajp-brute:
|   Accounts
|     root:secret - Valid credentials
|   Statistics
|_    Performed 1946 guesses in 23 seconds, average tps: 82

Requires

local ajp = require "ajp"
local base64 = require "base64"
local brute = require "brute"
local creds = require "creds"
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"

description = [[
Performs brute force passwords auditing against the Apache JServ protocol.
The Apache JServ Protocol is commonly used by web servers to communicate with
back-end Java application server containers.
]]

---
-- @usage
-- nmap -p 8009 <ip> --script ajp-brute
--
-- @output
-- PORT     STATE SERVICE
-- 8009/tcp open  ajp13
-- | ajp-brute:
-- |   Accounts
-- |     root:secret - Valid credentials
-- |   Statistics
-- |_    Performed 1946 guesses in 23 seconds, average tps: 82
--
-- @args ajp-brute.path URL path to request. Default: /

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}


portrule = shortport.port_or_service(8009, 'ajp13', 'tcp')

local arg_url = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/"

local function fail(err) return stdnse.format_output(false, err) end

Driver = {

  new = function(self, host, port, options)
    local o = { host = host,
      port = port,
      options = options,
      helper = ajp.Helper:new(host, port)
    }
    setmetatable(o, self)
    self.__index = self
    return o
  end,

  connect = function(self)
    return self.helper:connect(brute.new_socket())
  end,

  disconnect = function(self)
    return self.helper:close()
  end,

  login = function(self, user, pass)
    local headers = {
      ["Authorization"] = ("Basic %s"):format(base64.enc(user .. ":" .. pass))
    }
    local status, response = self.helper:get(arg_url, headers)

    if ( not(status) ) then
      local err = brute.Error:new( response )
      err:setRetry( true )
      return false, err
    elseif( response.status ~= 401 ) then
      return true, creds.Account:new(user, pass, creds.State.VALID)
    end
    return false, brute.Error:new( "Incorrect password" )
  end,

}


action = function(host, port)

  local helper = ajp.Helper:new(host, port)
  if ( not(helper:connect()) ) then
    return fail("Failed to connect to server")
  end

  local status, response = helper:get(arg_url)
  if ( not(response.headers['www-authenticate']) ) then
    return "\n  URL does not require authentication"
  end

  local challenges = http.parse_www_authenticate(response.headers['www-authenticate'])
  local options = { scheme = nil }
  for _, challenge in ipairs(challenges or {}) do
    if ( challenge and challenge.scheme and challenge.scheme:lower() == "basic") then
      options.scheme = challenge.scheme:lower()
      break
    end
  end

  if ( not(options.scheme) ) then
    return fail("Could not find a supported authentication scheme")
  end

  local engine = brute.Engine:new(Driver, host, port )
  engine.options.script_name = SCRIPT_NAME

  local status, result = engine:start()
  if ( status ) then
    return result
  end
end

Related

nmap 200
nmap
nmap
smb-psexec NSE Script
2009-11-20 16:19:40
rpc-grind NSE Script
2012-08-17 18:44:35
nbstat NSE Script
2008-06-12 14:32:25

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:AJP-BRUTE.NSE
nmap200