Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapPatrik KarlssonNMAP:CVS-BRUTE.NSE
HistoryJul 21, 2011 - 6:01 a.m.

cvs-brute NSE Script

2011-07-2106:01:19
Patrik Karlsson
nmap.org
67

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Performs brute force password auditing against CVS pserver authentication.

Script Arguments

cvs-brute.repo

string containing the name of the repository to brute if no repo was given the script checks the registry for any repositories discovered by the cvs-brute-repository script. If the registry contains any discovered repositories, the script attempts to brute force the credentials for the first one.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

creds.[service], creds.global

See the documentation for the creds library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

nmap -p 2401 --script cvs-brute <host>

Script Output

2401/tcp open  cvspserver syn-ack
| cvs-brute:
|   Accounts
|     hotchner:francisco - Account is valid
|     reid:secret - Account is valid
|   Statistics
|_    Performed 544 guesses in 14 seconds, average tps: 38

Requires

local brute = require "brute"
local creds = require "creds"
local cvs = require "cvs"
local shortport = require "shortport"
local stdnse = require "stdnse"

description = [[
Performs brute force password auditing against CVS pserver authentication.
]]

---
-- @usage
-- nmap -p 2401 --script cvs-brute <host>
--
-- @output
-- 2401/tcp open  cvspserver syn-ack
-- | cvs-brute:
-- |   Accounts
-- |     hotchner:francisco - Account is valid
-- |     reid:secret - Account is valid
-- |   Statistics
-- |_    Performed 544 guesses in 14 seconds, average tps: 38
--
-- @args cvs-brute.repo string containing the name of the repository to brute
--       if no repo was given the script checks the registry for any
--       repositories discovered by the cvs-brute-repository script. If the
--       registry contains any discovered repositories, the script attempts to
--       brute force the credentials for the first one.

-- Version 0.1
-- Created 07/13/2010 - v0.1 - created by Patrik Karlsson <[email protected]>


author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}
dependencies = {"cvs-brute-repository"}


portrule = shortport.port_or_service(2401, "cvspserver")

Driver =
{

  new = function(self, host, port, repo)
    local o = { repo = repo, helper = cvs.Helper:new(host, port) }
    setmetatable(o, self)
    self.__index = self
    return o
  end,

  connect = function( self )
    self.helper:connect(brute.new_socket())
    return true
  end,

  login = function( self, username, password )
    local status, err = self.helper:login( self.repo, username, password )
    if ( status ) then
      return true, creds.Account:new(username, password, creds.State.VALID)
    end

    -- This error seems to indicate that the user does not exist
    if ( err:match("E PAM start error%: Critical error %- immediate abort\0$") ) then
      stdnse.debug2("The user %s does not exist", username)
      local err = brute.Error:new("Account invalid")
      err:setInvalidAccount(username)
      return false, err
    end
    return false, brute.Error:new( "Incorrect password" )
  end,

  disconnect = function( self )
    self.helper:close()
  end,

}

local function getDiscoveredRepos(host)

  if ( not(host.registry.cvs_repos)) then
    return
  end

  return host.registry.cvs_repos
end

action = function(host, port)

  local repo = stdnse.get_script_args("cvs-brute.repo") and
    { stdnse.get_script_args("cvs-brute.repo") } or
    getDiscoveredRepos(host)
  if ( not(repo) ) then stdnse.verbose1("ERROR: No CVS repository specified (see cvs-brute.repo)") end

  local status, result

  -- If repositories were discovered and not overridden by argument
  -- only attempt to brute force the first one.
  local engine = brute.Engine:new(Driver, host, port, repo[1])

  engine.options.script_name = SCRIPT_NAME
  status, result = engine:start()

  return result
end

Related

nmap 200
nmap
nmap
ajp-headers NSE Script
2012-05-07 18:49:22
nessus-brute NSE Script
2011-10-26 21:45:33
ipv6-multicast-mld-list NSE Script
2015-12-19 15:50:08

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:CVS-BRUTE.NSE
nmap200