Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapPatrik KarlssonNMAP:RSYNC-BRUTE.NSE
HistoryFeb 05, 2012 - 10:10 a.m.

rsync-brute NSE Script

2012-02-0510:10:59
Patrik Karlsson
nmap.org
799

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Performs brute force password auditing against the rsync remote file syncing protocol.

Script Arguments

rsync-brute.module

- the module against which brute forcing should be performed

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

creds.[service], creds.global

See the documentation for the creds library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' <ip>

Script Output

PORT    STATE SERVICE REASON
873/tcp open  rsync   syn-ack
| rsync-brute:
|   Accounts
|     user1:laptop - Valid credentials
|     user2:password - Valid credentials
|   Statistics
|_    Performed 1954 guesses in 20 seconds, average tps: 97

Requires

local brute = require "brute"
local creds = require "creds"
local shortport = require "shortport"
local stdnse = require "stdnse"

local rsync = stdnse.silent_require "rsync"

description = [[
Performs brute force password auditing against the rsync remote file syncing protocol.
]]

---
-- @usage
-- nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' <ip>
--
-- @output
-- PORT    STATE SERVICE REASON
-- 873/tcp open  rsync   syn-ack
-- | rsync-brute:
-- |   Accounts
-- |     user1:laptop - Valid credentials
-- |     user2:password - Valid credentials
-- |   Statistics
-- |_    Performed 1954 guesses in 20 seconds, average tps: 97
--
-- @args rsync-brute.module - the module against which brute forcing should be performed



author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"brute", "intrusive"}

portrule = shortport.port_or_service(873, "rsync", "tcp")

Driver = {

  new = function(self, host, port, options)
    local o = { host = host, port = port, options = options }
    setmetatable(o, self)
    self.__index = self
    return o
  end,

  connect = function(self)
    self.helper = rsync.Helper:new(self.host, self.port, self.options)
    return self.helper:connect(brute.new_socket())
  end,

  login = function(self, username, password)

    local status, data = self.helper:login(username, password)
    -- retry unless we have an authentication failed error
    if( not(status) and data ~= "Authentication failed" ) then
      local err = brute.Error:new( data )
      err:setRetry( true )
      return false, err
    elseif ( not(status) ) then
      return false, brute.Error:new( "Login failed" )
    else
      return true, creds.Account:new(username, password, creds.State.VALID)
    end
  end,

  disconnect = function( self )
    return self.helper:disconnect()
  end

}

local function isModuleValid(host, port, module)
  local helper = rsync.Helper:new(host, port, { module = module })
  if ( not(helper) ) then
    return false, "Failed to create helper"
  end
  local status, data = helper:connect()
  if ( not(status) ) then
    return false, "Failed to connect to server"
  end
  status, data = helper:login()
  if ( status and data == "No authentication was required" ) then
    return false, data
  elseif ( not(status) and data == "Authentication required" ) then
    return true
  elseif ( not(status) and data == ("Unknown module '%s'"):format(module) ) then
    return false, data
  end
  return false, ("Brute pre-check failed for unknown reason: (%s)"):format(data)
end

local function fail (err) return stdnse.format_output(false, err) end

action = function(host, port)

  local mod = stdnse.get_script_args(SCRIPT_NAME .. ".module")
  if ( not(mod) ) then
    return fail("rsync-brute.module was not supplied")
  end

  local status, err = isModuleValid(host, port, mod)
  if ( not(status) ) then
    return fail(err)
  end

  local engine = brute.Engine:new(Driver, host, port, { module = mod })
  engine.options.script_name = SCRIPT_NAME
  local result
  status, result = engine:start()
  return result
end

Related

nmap 199
nmap
nmap
ajp-headers NSE Script
2012-05-07 18:49:22
rusers NSE Script
2016-03-14 16:03:47
daytime NSE Script
2008-11-06 02:52:59

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:RSYNC-BRUTE.NSE
nmap199