Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

pgsql-brute NSE Script

🗓️ 04 Mar 2010 19:18:55Reported by Patrik KarlssonType 
nmap
 nmap🔗 nmap.org👁 671 Views

Performs password guessing against PostgreSQL. Force protocol version 2 or 3. Disables SSL.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Code Injection in Samba
2 Dec 202509:55
githubexploit
GithubExploit		Exploit for Code Injection in Samba
25 May 201713:20
githubexploit
GithubExploit		Exploit for Code Injection in Samba
15 May 202106:52
githubexploit
GithubExploit		Exploit for Code Injection in Samba
30 May 201715:08
githubexploit
GithubExploit		Exploit for Code Injection in Samba
25 May 201713:20
githubexploit
GithubExploit		Exploit for CVE-2017-0143
16 May 201719:34
githubexploit
GithubExploit		Exploit for Code Injection in Samba
9 May 202102:32
githubexploit
GithubExploit		Exploit for Code Injection in Samba
5 Jun 201716:25
githubexploit
GithubExploit		Exploit for Code Injection in Samba
26 May 201700:58
githubexploit
GithubExploit		Exploit for Code Injection in Samba
1 Nov 202223:17
githubexploit
Rows per page
local nmap = require "nmap"
local pgsql = require "pgsql"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local unpwdb = require "unpwdb"

local openssl = stdnse.silent_require "openssl"

description = [[
Performs password guessing against PostgreSQL.
]]

---
-- @usage
-- nmap -p 5432 --script pgsql-brute <host>
--
-- @output
-- 5432/tcp open  pgsql
-- | pgsql-brute:
-- |   root:<empty> => Valid credentials
-- |_  test:test => Valid credentials
--
-- @args pgsql.nossl If set to <code>1</code> or <code>true</code>, disables SSL.
-- @args pgsql.version Force protocol version 2 or 3.

-- SSL Encryption
-- --------------
-- We need to handle several cases of SSL support
--  o SSL can be supported on a server level
--  o SSL can be enforced per host or network level
--  o SSL can be denied per host or network level

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}


-- Version 0.4
-- Created 01/15/2010 - v0.1 - created by Patrik Karlsson <[email protected]>
-- Revised 02/20/2010 - v0.2 - moved version detection to pgsql library
-- Revised 03/04/2010 - v0.3 - added code from ssh-hostkey.nse to check for SSL support
--                           - added support for trusted authentication method
-- Revised 09/10/2011 - v0.4 - changed account status text to be more consistent with other *-brute scripts

portrule = shortport.port_or_service(5432, "postgresql")

--- Connect a socket to the server with or without SSL
--
-- @param host table as received by the action function
-- @param port table as received by the action function
-- @param ssl boolean, if true connect using SSL
-- @return socket connected to server
local function connectSocket(host, port, ssl)
  local socket = nmap.new_socket()

  -- set a reasonable timeout value
  socket:set_timeout(5000)
  socket:connect(host, port)

  -- let's be responsible and avoid sending communication in the clear
  if ( ssl ) then
    local status = pgsql.requestSSL(socket)
    if ( status ) then
      socket:reconnect_ssl()
    end
  end
  return socket
end

action = function( host, port )

  local status, response, ssl_enable, output
  local result, response, status, nossl = {}, nil, nil, false
  local valid_accounts = {}
  local pg

  if ( nmap.registry.args['pgsql.version'] ) then
    if ( tonumber(nmap.registry.args['pgsql.version']) == 2 ) then
      pg = pgsql.v2
    elseif ( tonumber(nmap.registry.args['pgsql.version']) == 3 ) then
      pg = pgsql.v3
    else
      stdnse.debug1("Unsupported version %s", nmap.registry.args['pgsql.version'])
      return
    end
  else
    pg = pgsql.detectVersion(host, port )
  end

  local usernames, passwords
  status, usernames = unpwdb.usernames()
  if not status then
    return stdnse.format_output(false, usernames)
  end

  status, passwords = unpwdb.passwords()
  if not status then
    return stdnse.format_output(false, passwords)
  end

  -- If the user explicitly does not disable SSL, enforce it
  if ( ( nmap.registry.args['pgsql.nossl'] == 'true' ) or
    ( nmap.registry.args['pgsql.nossl'] == '1' ) ) then
    nossl = true
  end

  for username in usernames do
    ssl_enable = not(nossl)
    for password in passwords do
      stdnse.debug1("Trying %s/%s ...", username, password )
      local socket = connectSocket( host, port, ssl_enable )
      status, response = pg.sendStartup(socket, username, username)

      -- if nossl is enforced by the user, we're done
      if ( not(status) and nossl ) then
        break
      end

      -- SSL failed, this can occur due to:
      -- 1. The server does not do SSL
      -- 2. SSL was denied on a per host or network level
      --
      -- Attempt SSL connection
      if ( not(status) ) then
        socket:close()
        ssl_enable = false
        socket = connectSocket( host, port, ssl_enable )
        status, response = pg.sendStartup(socket, username, username)
        if (not(status)) then
          if ( response:match("no pg_hba.conf entry for host") ) then
            stdnse.debug1("The host was denied access to db \"%s\" as user \"%s\", aborting ...", username, username )
            break
          else
            stdnse.debug1("sendStartup returned: %s", response )
            break
          end
        end
      end

      -- Do not attempt to authenticate if authentication type is trusted
      if ( response.authtype ~= pgsql.AuthenticationType.Success ) then
        status, response = pg.loginRequest( socket, response, username, password, response.salt)
      end

      if status then
        -- Add credentials for other pgsql scripts to use
        if nmap.registry.pgsqlusers == nil then
          nmap.registry.pgsqlusers = {}
        end
        nmap.registry.pgsqlusers[username]=password
        if ( response.authtype ~= pgsql.AuthenticationType.Success ) then
          table.insert( valid_accounts, string.format("%s:%s => Valid credentials", username, password:len()>0 and password or "<empty>" ) )
        else
          table.insert( valid_accounts, string.format("%s => Trusted authentication", username ) )
        end
        break
      end
      socket:close()
    end
    passwords("reset")
  end

  output = stdnse.format_output(true, valid_accounts)

  return output

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Jun 2020 03:01Current
9.5High risk
Vulners AI Score9.5
EPSS0.94176
pgsql-brutepassword guessingpostgresqlprotocol versionsslnmapshortportstdnseunpwdbopenssl
671