Lucene search

K
nmapPatrik KarlssonNMAP:CVS-BRUTE-REPOSITORY.NSE
HistoryJul 21, 2011 - 6:01 a.m.

cvs-brute-repository NSE Script

2011-07-2106:01:19
Patrik Karlsson
nmap.org
76

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Attempts to guess the name of the CVS repositories hosted on the remote server. With knowledge of the correct repository name, usernames and passwords can be guessed.

Script Arguments

cvs-brute-repository.repofile

a file containing a list of repositories to guess

cvs-brute-repository.nodefault

when set the script does not attempt to guess the list of hardcoded repositories

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

creds.[service], creds.global

See the documentation for the creds library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

nmap -p 2401 --script cvs-brute-repository <host>

Script Output

PORT     STATE SERVICE    REASON
2401/tcp open  cvspserver syn-ack
| cvs-brute-repository:
|   Repositories
|     /myrepos
|     /demo
|   Statistics
|_    Performed 14 guesses in 1 seconds, average tps: 14

Requires


local brute = require "brute"
local coroutine = require "coroutine"
local creds = require "creds"
local cvs = require "cvs"
local io = require "io"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
local unpwdb = require "unpwdb"

description = [[
Attempts to guess the name of the CVS repositories hosted on the remote server.
With knowledge of the correct repository name, usernames and passwords can be guessed.
]]

---
-- @usage
-- nmap -p 2401 --script cvs-brute-repository <host>
--
-- @output
-- PORT     STATE SERVICE    REASON
-- 2401/tcp open  cvspserver syn-ack
-- | cvs-brute-repository:
-- |   Repositories
-- |     /myrepos
-- |     /demo
-- |   Statistics
-- |_    Performed 14 guesses in 1 seconds, average tps: 14
--
-- @args cvs-brute-repository.nodefault when set the script does not attempt to
--       guess the list of hardcoded repositories
-- @args cvs-brute-repository.repofile a file containing a list of repositories
--       to guess

-- Version 0.2
-- Created 07/13/2010 - v0.1 - created by Patrik Karlsson <[email protected]>
-- Revised 08/07/2012 - v0.2 - revised to suit the changes in brute
--                             library [Aleksandar Nikolic]

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}


portrule = shortport.port_or_service(2401, "cvspserver")

Driver =
{

  new = function(self, host, port )
    local o = { host = host, helper = cvs.Helper:new(host, port) }
    setmetatable(o, self)
    self.__index = self
    return o
  end,

  connect = function( self )
    self.helper:connect()
    return true
  end,

  login = function( self, username, password )
    username = ""
    if ( password:sub(1,1) ~= "/" ) then password = "/" .. password end
    local status, err = self.helper:login( password, "repository", "repository" )
    if ( not(status) and err:match("I HATE YOU") ) then
      -- let's store the repositories in the registry so the brute
      -- script can use them later.
      self.host.registry.cvs_repos = self.host.registry.cvs_repos or {}
      table.insert(self.host.registry.cvs_repos, password)
      return true, creds.Account:new(username, password, 0)
    end
    return false, brute.Error:new( "Incorrect password" )
  end,

  disconnect = function( self )
    self.helper:close()
  end,

}


action = function(host, port)

  local status, result
  local engine = brute.Engine:new(Driver, host, port)

  -- a list of "common" repository names:
  -- the first two are Debian/Ubuntu default names
  -- the rest were found during tests or in google searches
  local repos = {"myrepos", "demo", "cvs", "cvsroot", "prod", "src", "test",
    "source", "devel", "cvsroot", "/var/lib/cvsroot",
    "cvs-repository", "/home/cvsroot", "/var/cvs",
    "/usr/local/cvs"}

  local repofile = stdnse.get_script_args("cvs-brute-repository.repofile")
  local f

  if ( repofile ) then
    f = io.open( repofile, "r" )
    if ( not(f) ) then
      return stdnse.format_output(false, ("Failed to open repository file: %s"):format(repofile))
    end
  end

  local function repository_iterator()
    local function next_repo()
      for line in f:lines() do
        if ( not(line:match("#!comment")) ) then
          coroutine.yield("", line)
        end
      end
      while(true) do coroutine.yield(nil, nil) end
    end
    return coroutine.wrap(next_repo)
  end

  engine.options:setTitle("Repositories")
  engine.options.script_name = SCRIPT_NAME
  engine.options.passonly = true
  engine.options.firstonly = false
  engine.options.nostore = true
  engine.iterator = brute.Iterators.account_iterator({""}, repos, "user")
  if ( repofile ) then engine.iterator = unpwdb.concat_iterators(engine.iterator,repository_iterator()) end
  status, result = engine:start()

  return result
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:CVS-BRUTE-REPOSITORY.NSE