9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Performs brute force password auditing against a Nessus vulnerability scanning daemon using the NTP 1.2 protocol.
See the documentation for the unpwdb library.
See the documentation for the creds library.
See the documentation for the brute library.
nmap --script nessus-brute -p 1241 <host>
PORT STATE SERVICE
1241/tcp open nessus
| nessus-brute:
| Accounts
| nessus:nessus - Valid credentials
| Statistics
|_ Performed 35 guesses in 75 seconds, average tps: 0
This script does not appear to perform well when run using multiple threads
Although, it's very slow running under a single thread it does work as intended
local brute = require "brute"
local creds = require "creds"
local match = require "match"
local shortport = require "shortport"
description=[[
Performs brute force password auditing against a Nessus vulnerability scanning daemon using the NTP 1.2 protocol.
]]
---
-- @usage
-- nmap --script nessus-brute -p 1241 <host>
--
-- @output
-- PORT STATE SERVICE
-- 1241/tcp open nessus
-- | nessus-brute:
-- | Accounts
-- | nessus:nessus - Valid credentials
-- | Statistics
-- |_ Performed 35 guesses in 75 seconds, average tps: 0
--
-- This script does not appear to perform well when run using multiple threads
-- Although, it's very slow running under a single thread it does work as intended
--
--
-- Version 0.1
-- Created 22/10/2011 - v0.1 - created by Patrik Karlsson <[email protected]>
--
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}
portrule = shortport.port_or_service(1241, "nessus", "tcp")
Driver =
{
new = function(self, host, port)
local o = { host = host, port = port }
setmetatable(o, self)
self.__index = self
return o
end,
connect = function( self )
self.socket = brute.new_socket()
if ( not(self.socket:connect(self.host, self.port, "ssl")) ) then
return false
end
return true
end,
login = function( self, username, password )
local handshake = "< NTP/1.2 >< plugins_cve_id plugins_version timestamps dependencies fast_login >\n"
local status, err = self.socket:send(handshake)
if ( not(status) ) then
local err = brute.Error:new( "Failed to send handshake to server" )
err:setAbort(true)
return false, err
end
local line
status, line = self.socket:receive_buf(match.pattern_limit("\r?\n", 2048), false)
if ( not(status) or line ~= "< NTP/1.2 >" ) then
local err = brute.Error:new( "The server failed to respond to handshake" )
err:setAbort( true )
return false, err
end
status, line = self.socket:receive()
if ( not(status) or line ~= "User : ") then
local err = brute.Error:new( "Expected \"User : \", got something else" )
err:setRetry( true )
return false, err
end
status = self.socket:send(username .. "\n")
if ( not(status) ) then
local err = brute.Error:new( "Failed to send username to server" )
err:setAbort( true )
return false, err
end
status, line = self.socket:receive()
if ( not(status) or line ~= "Password : ") then
local err = brute.Error:new( "Expected \"Password : \", got something else" )
err:setRetry( true )
return false, err
end
status = self.socket:send(password)
if ( not(status) ) then
local err = brute.Error:new( "Failed to send password to server" )
err:setAbort( true )
return false, err
end
-- the line feed has to be sent separate like this, otherwise we don't
-- receive the server response and the server simply hangs up
status = self.socket:send("\n")
if ( not(status) ) then
local err = brute.Error:new( "Failed to send password to server" )
err:setAbort( true )
return false, err
end
-- we force a brief incorrect statement just to get an error message to
-- confirm that we've successfully authenticated to the server
local bad_cli_pref = "CLIENT <|> PREFERENCES <|>\n<|> CLIENT\n"
status = self.socket:send(bad_cli_pref)
if ( not(status) ) then
local err = brute.Error:new( "Failed to send bad client preferences packet to server" )
err:setAbort( true )
return false, err
end
-- if the server disconnects us at this point, it's most likely due to
-- that the authentication failed, so simply treat it as an incorrect
-- password, rather than abort.
status, line = self.socket:receive()
if ( not(status) ) then
return false, brute.Error:new( "Incorrect password" )
end
if ( line:match("SERVER <|> PREFERENCES_ERRORS <|>") ) then
return true, creds.Account:new(username, password, creds.State.VALID)
end
return false, brute.Error:new( "Incorrect password" )
end,
disconnect = function( self )
self.socket:close()
end,
}
action = function(host, port)
local engine = brute.Engine:new(Driver, host, port)
engine.options.script_name = SCRIPT_NAME
-- the nessus service doesn't appear to do very well with multiple threads
engine:setMaxThreads(1)
local status, result = engine:start()
return result
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%