Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapPatrik KarlssonNMAP:REXEC-BRUTE.NSE
HistoryNov 04, 2011 - 9:17 p.m.

rexec-brute NSE Script

2011-11-0421:17:33
Patrik Karlsson
nmap.org
294

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Performs brute force password auditing against the classic UNIX rexec (remote exec) service.

Script Arguments

rexec-brute.timeout

socket timeout for connecting to rexec (default 10s)

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

creds.[service], creds.global

See the documentation for the creds library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

nmap -p 512 --script rexec-brute <ip>

Script Output

PORT    STATE SERVICE
512/tcp open  exec
| rexec-brute:
|   Accounts
|     nmap:test - Valid credentials
|   Statistics
|_    Performed 16 guesses in 7 seconds, average tps: 2

Requires

local brute = require "brute"
local creds = require "creds"
local shortport = require "shortport"
local stdnse = require "stdnse"

description=[[
Performs brute force password auditing against the classic UNIX rexec (remote exec) service.
]]

---
-- @usage
-- nmap -p 512 --script rexec-brute <ip>
--
-- @output
-- PORT    STATE SERVICE
-- 512/tcp open  exec
-- | rexec-brute:
-- |   Accounts
-- |     nmap:test - Valid credentials
-- |   Statistics
-- |_    Performed 16 guesses in 7 seconds, average tps: 2
--
-- @args rexec-brute.timeout  socket timeout for connecting to rexec (default 10s)

-- Version 0.1
-- Created 11/02/2011 - v0.1 - created by Patrik Karlsson <[email protected]>


author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"brute", "intrusive"}

portrule = shortport.port_or_service(512, "exec", "tcp")

--- Copied from telnet-brute
-- Decide whether a given string (presumably received from a telnet server)
-- indicates a failed login
--
-- @param str The string to analyze
-- @return Verdict (true or false)
local is_login_failure = function (str)
  local lcstr = str:lower()
  return lcstr:find("%f[%w]incorrect%f[%W]")
      or lcstr:find("%f[%w]failed%f[%W]")
      or lcstr:find("%f[%w]denied%f[%W]")
      or lcstr:find("%f[%w]invalid%f[%W]")
      or lcstr:find("%f[%w]bad%f[%W]")
end

Driver = {

  -- creates a new Driver instance
  -- @param host table as received by the action function
  -- @param port table as received by the action function
  -- @return o instance of Driver
  new = function(self, host, port, options)
    local o = { host = host, port = port, timeout = options.timeout }
    setmetatable(o, self)
    self.__index = self
    return o
  end,

  connect = function(self)
    self.socket = brute.new_socket()
    self.socket:set_timeout(self.timeout)
    local status, err = self.socket:connect(self.host, self.port)
    if ( not(status) ) then
      local err = brute.Error:new("Connection failed")
      err:setRetry( true )
      return false, err
    end
    return true
  end,

  login = function(self, username, password)
    local cmd = "id"
    local data = ("\0%s\0%s\0%s\0"):format(username, password, cmd)

    local status, err = self.socket:send(data)
    if ( not(status) ) then
      local err = brute.Error:new("Send failed")
      err:setRetry( true )
      return false, err
    end

    local response
    status, response = self.socket:receive()
    if ( status and not is_login_failure(response)) then
      return true, creds.Account:new(username, password, creds.State.VALID)
    end
    return false, brute.Error:new( "Incorrect password" )
  end,

  disconnect = function(self)
    self.socket:close()
  end,

}


local arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout"))
arg_timeout = (arg_timeout or 10) * 1000

action = function(host, port)
  local options = {
    timeout = arg_timeout
  }

  local engine = brute.Engine:new(Driver, host, port, options)
  engine.options.script_name = SCRIPT_NAME
  local status, result = engine:start()
  return result
end

Related

nmap 200
nmap
nmap
hbase-master-info NSE Script
2011-11-08 16:00:16
informix-tables NSE Script
2010-08-19 22:47:52
broadcast-bjnp-discover NSE Script
2012-08-05 18:55:40

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:REXEC-BRUTE.NSE
nmap200