Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapVlatko KosturjakNMAP:NEXPOSE-BRUTE.NSE
HistoryNov 17, 2011 - 7:46 p.m.

nexpose-brute NSE Script

2011-11-1719:46:42
Vlatko Kosturjak
nmap.org
151

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Performs brute force password auditing against a Nexpose vulnerability scanner using the API 1.1.

As the Nexpose application enforces account lockout after 4 incorrect login attempts, the script performs only 3 guesses per default. This can be altered by supplying the brute.guesses argument a different value or 0 (zero) to guess the whole dictionary.

Script Arguments

creds.[service], creds.global

See the documentation for the creds library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap --script nexpose-brute -p 3780 <ip>

Script Output

PORT     STATE SERVICE     REASON  VERSION
3780/tcp open  ssl/nexpose syn-ack NeXpose NSC 0.6.4
| nexpose-brute:
|   Accounts
|     nxadmin:nxadmin - Valid credentials
|   Statistics
|_    Performed 5 guesses in 1 seconds, average tps: 5

Requires

local brute = require "brute"
local creds = require "creds"
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"

local openssl = stdnse.silent_require "openssl"

description=[[
Performs brute force password auditing against a Nexpose vulnerability scanner
using the API 1.1.

As the Nexpose application enforces account lockout after 4 incorrect login
attempts, the script performs only 3 guesses per default. This can be
altered by supplying the <code>brute.guesses</code> argument a different
value or 0 (zero) to guess the whole dictionary.
]]

---
-- @usage
-- nmap --script nexpose-brute -p 3780 <ip>
--
-- @output
-- PORT     STATE SERVICE     REASON  VERSION
-- 3780/tcp open  ssl/nexpose syn-ack NeXpose NSC 0.6.4
-- | nexpose-brute:
-- |   Accounts
-- |     nxadmin:nxadmin - Valid credentials
-- |   Statistics
-- |_    Performed 5 guesses in 1 seconds, average tps: 5
--

author = "Vlatko Kosturjak"

license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

categories = {"intrusive", "brute"}


portrule = shortport.port_or_service(3780, "nexpose", "tcp")

Driver =
{
  new = function (self, host, port)
    local o = { host = host, port = port }
    setmetatable (o,self)
    self.__index = self
    return o
  end,

  connect = function ( self ) return true end,

  login = function( self, username, password )
    local postdata='<?xml version="1.0" encoding="UTF-8"?><LoginRequest sync-id="1" user-id="'..username..'" password="'..password..'"></LoginRequest>'
    local response = http.post( self.host, self.port, '/api/1.1/xml', { no_cache = true, header = { ["Content-Type"] = "text/xml" } }, nil, postdata )

    if (not(response)) then
      local err = brute.Error:new( "Couldn't send/receive HTTPS request" )
      err:setRetry( true )
      return false, err
    end

    if (response.body == nil or response.body:match('<LoginResponse.*success="0"')) then
      stdnse.debug2("Bad login: %s/%s", username, password)
      return false, brute.Error:new( "Bad login" )
    elseif (response.body:match('<LoginResponse.*success="1"')) then
      stdnse.debug1("Good login: %s/%s", username, password)
      return true, creds.Account:new(username, password, creds.State.VALID)
    end
    stdnse.debug1("WARNING: Unhandled response: %s", response.body)
    return false, brute.Error:new( "incorrect response from server" )
  end,

  disconnect = function( self ) return true end,
}

action = function(host, port)
  local engine = brute.Engine:new(Driver, host, port)
  engine.options.script_name = SCRIPT_NAME
  engine.options.max_guesses = tonumber(stdnse.get_script_args('brute.guesses')) or 3
  local status, result = engine:start()
  return result
end

Related

nmap 199
nmap
nmap
broadcast-ms-sql-discover NSE Script
2010-12-10 23:12:27
riak-http-info NSE Script
2012-01-02 11:37:38
cics-enum NSE Script
2016-12-08 21:27:09

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:NEXPOSE-BRUTE.NSE
nmap199