diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 07:42:04 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 07:42:04 +0000 |
commit | 0d47952611198ef6b1163f366dc03922d20b1475 (patch) | |
tree | 3d840a3b8c0daef0754707bfb9f5e873b6b1ac13 /scripts/netbus-brute.nse | |
parent | Initial commit. (diff) | |
download | nmap-upstream.tar.xz nmap-upstream.zip |
Adding upstream version 7.94+git20230807.3be01efb1+dfsg.upstream/7.94+git20230807.3be01efb1+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | scripts/netbus-brute.nse | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/scripts/netbus-brute.nse b/scripts/netbus-brute.nse new file mode 100644 index 0000000..50464ad --- /dev/null +++ b/scripts/netbus-brute.nse @@ -0,0 +1,63 @@ +local nmap = require "nmap" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local unpwdb = require "unpwdb" + +description = [[ +Performs brute force password auditing against the Netbus backdoor ("remote administration") service. +]] + +--- +-- @see netbus-auth-bypass.nse +-- @usage +-- nmap -p 12345 --script netbus-brute <target> +-- +-- @output +-- 12345/tcp open netbus +-- |_netbus-brute: password123 + +author = "Toni Ruottu" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"brute", "intrusive"} + + +dependencies = {"netbus-version"} + +portrule = shortport.port_or_service (12345, "netbus", {"tcp"}) + +action = function( host, port ) + local try = nmap.new_try() + local passwords = try(unpwdb.passwords()) + local socket = nmap.new_socket() + local status, err = socket:connect(host, port) + if not status then + return + end + local buffer, err = stdnse.make_buffer(socket, "\r") + local _ = buffer() --skip the banner + if not (_ and _:match("^NetBus")) then + stdnse.debug1("Not NetBus") + return nil + end + for password in passwords do + local foo = string.format("Password;0;%s\r", password) + socket:send(foo) + local login = buffer() + if login == "Access;1" then + -- Store the password for other netbus scripts + local key = string.format("%s:%d", host.ip, port.number) + if not nmap.registry.netbuspasswords then + nmap.registry.netbuspasswords = {} + end + nmap.registry.netbuspasswords[key] = password + if password == "" then + return "<empty>" + end + return string.format("%s", password) + end + end + socket:close() +end + + |