9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.
authentication mechanism to use LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
See the documentation for the unpwdb library.
See the documentation for the creds library.
See the documentation for the brute library.
See the documentation for the smbauth library.
nmap -p 143,993 --script imap-brute <host>
PORT STATE SERVICE REASON
143/tcp open imap syn-ack
| imap-brute:
| Accounts
| braddock:jules - Valid credentials
| lane:sniper - Valid credentials
| parker:scorpio - Valid credentials
| Statistics
|_ Performed 62 guesses in 10 seconds, average tps: 6
local brute = require "brute"
local coroutine = require "coroutine"
local creds = require "creds"
local imap = require "imap"
local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
Performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication.
]]
---
-- @usage
-- nmap -p 143,993 --script imap-brute <host>
--
-- @output
-- PORT STATE SERVICE REASON
-- 143/tcp open imap syn-ack
-- | imap-brute:
-- | Accounts
-- | braddock:jules - Valid credentials
-- | lane:sniper - Valid credentials
-- | parker:scorpio - Valid credentials
-- | Statistics
-- |_ Performed 62 guesses in 10 seconds, average tps: 6
--
-- @args imap-brute.auth authentication mechanism to use LOGIN, PLAIN,
-- CRAM-MD5, DIGEST-MD5 or NTLM
-- Version 0.1
-- Created 07/15/2011 - v0.1 - created by Patrik Karlsson <[email protected]>
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"brute", "intrusive"}
portrule = shortport.port_or_service({143,993}, {"imap","imaps"})
local mech
-- By using this connectionpool we don't need to reconnect the socket
-- for each attempt.
ConnectionPool = {}
Driver =
{
-- Creates a new driver instance
-- @param host table as received by the action method
-- @param port table as received by the action method
-- @param pool an instance of the ConnectionPool
new = function(self, host, port, pool)
local o = { host = host, port = port }
setmetatable(o, self)
self.__index = self
return o
end,
-- Connects to the server (retrieves a connection from the pool)
connect = function( self )
self.helper = ConnectionPool[coroutine.running()]
if ( not(self.helper) ) then
self.helper = imap.Helper:new( self.host, self.port )
self.helper:connect()
ConnectionPool[coroutine.running()] = self.helper
end
return true
end,
-- Attempts to login to the server
-- @param username string containing the username
-- @param password string containing the password
-- @return status true on success, false on failure
-- @return brute.Error on failure and creds.Account on success
login = function( self, username, password )
local status, err = self.helper:login( username, password, mech )
if ( status ) then
self.helper:close()
self.helper:connect()
return true, creds.Account:new(username, password, creds.State.VALID)
end
if ( err:match("^ERROR: Failed to .* data$") ) then
self.helper:close()
self.helper:connect()
local err = brute.Error:new( err )
-- This might be temporary, set the retry flag
err:setRetry( true )
return false, err
end
return false, brute.Error:new( "Incorrect password" )
end,
-- Disconnects from the server (release the connection object back to
-- the pool)
disconnect = function( self )
return true
end,
}
local function fail (err) return stdnse.format_output(false, err) end
action = function(host, port)
-- Connects to the server and retrieves the capabilities so that
-- authentication mechanisms can be determined
local helper = imap.Helper:new(host, port)
local status = helper:connect()
if (not(status)) then return fail("Failed to connect to the server.") end
local status, capabilities = helper:capabilities()
if (not(status)) then return fail("Failed to retrieve capabilities.") end
-- check if an authentication mechanism was provided or try
-- try them in the mech_prio order
local mech_prio = stdnse.get_script_args("imap-brute.auth")
mech_prio = ( mech_prio and { mech_prio } ) or
{ "LOGIN", "PLAIN", "CRAM-MD5", "DIGEST-MD5", "NTLM" }
-- iterates over auth mechanisms until a valid mechanism is found
for _, m in ipairs(mech_prio) do
if ( m == "LOGIN" and not(capabilities.LOGINDISABLED)) then
mech = "LOGIN"
break
elseif ( capabilities["AUTH=" .. m] ) then
mech = m
break
end
end
-- if no mechanisms were found, abort
if ( not(mech) ) then
return fail("No suitable authentication mechanism was found")
end
local engine = brute.Engine:new(Driver, host, port)
engine.options.script_name = SCRIPT_NAME
local result
status, result = engine:start()
for _, helper in pairs(ConnectionPool) do helper:close() end
return result
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%