Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapVlatko KosturjakNMAP:OPENVAS-OTP-BRUTE.NSE
HistoryNov 10, 2011 - 8:50 p.m.

openvas-otp-brute NSE Script

2011-11-1020:50:04
Vlatko Kosturjak
nmap.org
108

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Performs brute force password auditing against a OpenVAS vulnerability scanner daemon using the OTP 1.0 protocol.

Script Arguments

openvas-otp-brute.threads

sets the number of threads. Default: 4

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

creds.[service], creds.global

See the documentation for the creds library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

nmap -sV --script=openvas-otp-brute <target>

Script Output

PORT     STATE SERVICE    REASON  VERSION
9391/tcp open  ssl/openvas syn-ack
| openvas-otp-brute:
|   Accounts
|     openvas:openvas - Valid credentials
|   Statistics
|_    Performed 4 guesses in 4 seconds, average tps: 1

Requires

local brute = require "brute"
local creds = require "creds"
local match = require "match"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"

local openssl = stdnse.silent_require "openssl"

description=[[
Performs brute force password auditing against a OpenVAS vulnerability scanner daemon using the OTP 1.0 protocol.
]]

---
-- @output
-- PORT     STATE SERVICE    REASON  VERSION
-- 9391/tcp open  ssl/openvas syn-ack
-- | openvas-otp-brute:
-- |   Accounts
-- |     openvas:openvas - Valid credentials
-- |   Statistics
-- |_    Performed 4 guesses in 4 seconds, average tps: 1
--
-- @args openvas-otp-brute.threads sets the number of threads. Default: 4

author = "Vlatko Kosturjak"

license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

categories = {"intrusive", "brute"}


portrule = shortport.port_or_service({9390,9391}, "openvas", "tcp")

Driver =
{
  new = function (self, host, port)
    local o = { host = host, port = port }
    setmetatable (o,self)
    self.__index = self
    return o
  end,

  connect = function ( self )
    self.socket = brute.new_socket()
    if ( not(self.socket:connect(self.host, self.port, "ssl")) ) then
      return false
    end
    return true
  end,

  login = function( self, username, password )
    local status, err = self.socket:send("< OTP/1.0 >\n")

    if ( not ( status ) ) then
      local err = brute.Error:new( "Unable to send handshake" )
      err:setAbort(true)
      return false, err
    end

    local response
    status, response = self.socket:receive_buf(match.pattern_limit("\r?\n", 2048), false)
    if ( not(status) or response ~= "< OTP/1.0 >" ) then
      local err = brute.Error:new( "Bad handshake from server: "..response )
      err:setAbort(true)
      return false, err
    end

    status, err = self.socket:send(username.."\n")
    if ( not(status) ) then
      local err = brute.Error:new( "Couldn't send user: "..username )
      err:setAbort( true )
      return false, err
    end

    status, err = self.socket:send(password.."\n")
    if ( not(status) ) then
      local err = brute.Error:new( "Couldn't send password: "..password )
      err:setAbort( true )
      return false, err
    end

    -- Create a buffer and receive the first line
    local line
    status, line = self.socket:receive_buf(match.pattern_limit("\r?\n", 2048), false)

    if (line == nil or string.match(line,"Bad login")) then
      stdnse.debug2("Bad login: %s/%s", username, password)
      return false, brute.Error:new( "Bad login" )
    elseif (string.match(line,"SERVER <|>")) then

      stdnse.debug1("Good login: %s/%s", username, password)
      return true, creds.Account:new(username, password, creds.State.VALID)
    end

    stdnse.debug1("WARNING: Unhandled response: %s", line)
    return false, brute.Error:new( "unhandled response" )
  end,

  disconnect = function( self )
    self.socket:close()
  end,
}

action = function(host, port)
  local engine = brute.Engine:new(Driver, host, port)
  engine:setMaxThreads(1)
  engine.options.script_name = SCRIPT_NAME
  local status, result = engine:start()
  return result
end

Related

nmap 199
nmap
nmap
smb-psexec NSE Script
2009-11-20 16:19:40
rpc-grind NSE Script
2012-08-17 18:44:35
nbstat NSE Script
2008-06-12 14:32:25

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:OPENVAS-OTP-BRUTE.NSE
nmap199