Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapPatrik KarlssonNMAP:NESSUS-BRUTE.NSE
HistoryOct 26, 2011 - 9:45 p.m.

nessus-brute NSE Script

2011-10-2621:45:33
Patrik Karlsson
nmap.org
115

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Performs brute force password auditing against a Nessus vulnerability scanning daemon using the NTP 1.2 protocol.

Script Arguments

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

creds.[service], creds.global

See the documentation for the creds library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

nmap --script nessus-brute -p 1241 <host>

Script Output

PORT     STATE SERVICE
1241/tcp open  nessus
| nessus-brute:
|   Accounts
|     nessus:nessus - Valid credentials
|   Statistics
|_    Performed 35 guesses in 75 seconds, average tps: 0

This script does not appear to perform well when run using multiple threads
Although, it's very slow running under a single thread it does work as intended

Requires

local brute = require "brute"
local creds = require "creds"
local match = require "match"
local shortport = require "shortport"

description=[[
Performs brute force password auditing against a Nessus vulnerability scanning daemon using the NTP 1.2 protocol.
]]

---
-- @usage
-- nmap --script nessus-brute -p 1241 <host>
--
-- @output
-- PORT     STATE SERVICE
-- 1241/tcp open  nessus
-- | nessus-brute:
-- |   Accounts
-- |     nessus:nessus - Valid credentials
-- |   Statistics
-- |_    Performed 35 guesses in 75 seconds, average tps: 0
--
-- This script does not appear to perform well when run using multiple threads
-- Although, it's very slow running under a single thread it does work as intended
--

--
-- Version 0.1
-- Created 22/10/2011 - v0.1 - created by Patrik Karlsson <[email protected]>
--

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}


portrule = shortport.port_or_service(1241, "nessus", "tcp")

Driver =
{

  new = function(self, host, port)
    local o = { host = host, port = port }
    setmetatable(o, self)
    self.__index = self
    return o
  end,

  connect = function( self )
    self.socket = brute.new_socket()
    if ( not(self.socket:connect(self.host, self.port, "ssl")) ) then
      return false
    end
    return true
  end,

  login = function( self, username, password )
    local handshake = "< NTP/1.2 >< plugins_cve_id plugins_version timestamps dependencies fast_login >\n"

    local status, err = self.socket:send(handshake)
    if ( not(status) ) then
      local err = brute.Error:new( "Failed to send handshake to server" )
      err:setAbort(true)
      return false, err
    end

    local line
    status, line = self.socket:receive_buf(match.pattern_limit("\r?\n", 2048), false)
    if ( not(status) or line ~= "< NTP/1.2 >" ) then
      local err = brute.Error:new( "The server failed to respond to handshake" )
      err:setAbort( true )
      return false, err
    end

    status, line = self.socket:receive()
    if ( not(status) or line ~= "User : ") then
      local err = brute.Error:new( "Expected \"User : \", got something else" )
      err:setRetry( true )
      return false, err
    end

    status = self.socket:send(username .. "\n")
    if ( not(status) ) then
      local err = brute.Error:new( "Failed to send username to server" )
      err:setAbort( true )
      return false, err
    end

    status, line = self.socket:receive()
    if ( not(status) or line ~= "Password : ") then
      local err = brute.Error:new( "Expected \"Password : \", got something else" )
      err:setRetry( true )
      return false, err
    end

    status = self.socket:send(password)
    if ( not(status) ) then
      local err = brute.Error:new( "Failed to send password to server" )
      err:setAbort( true )
      return false, err
    end

    -- the line feed has to be sent separate like this, otherwise we don't
    -- receive the server response and the server simply hangs up
    status = self.socket:send("\n")
    if ( not(status) ) then
      local err = brute.Error:new( "Failed to send password to server" )
      err:setAbort( true )
      return false, err
    end

    -- we force a brief incorrect statement just to get an error message to
    -- confirm that we've successfully authenticated to the server
    local bad_cli_pref = "CLIENT <|> PREFERENCES <|>\n<|> CLIENT\n"
    status = self.socket:send(bad_cli_pref)
    if ( not(status) ) then
      local err = brute.Error:new( "Failed to send bad client preferences packet to server" )
      err:setAbort( true )
      return false, err
    end

    -- if the server disconnects us at this point, it's most likely due to
    -- that the authentication failed, so simply treat it as an incorrect
    -- password, rather than abort.
    status, line = self.socket:receive()
    if ( not(status) ) then
      return false, brute.Error:new( "Incorrect password" )
    end

    if ( line:match("SERVER <|> PREFERENCES_ERRORS <|>") ) then
      return true, creds.Account:new(username, password, creds.State.VALID)
    end

    return false, brute.Error:new( "Incorrect password" )
  end,

  disconnect = function( self )
    self.socket:close()
  end,

}

action = function(host, port)

  local engine = brute.Engine:new(Driver, host, port)
  engine.options.script_name = SCRIPT_NAME

  -- the nessus service doesn't appear to do very well with multiple threads
  engine:setMaxThreads(1)
  local status, result = engine:start()

  return result
end

Related

nmap 200
nmap
nmap
unittest NSE Script
2014-01-03 21:10:01
firewalk NSE Script
2010-11-29 19:16:49
stun-version NSE Script
2012-03-16 11:36:51

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:NESSUS-BRUTE.NSE
nmap200