diff options
Diffstat (limited to 'scripts/vmauthd-brute.nse')
| -rw-r--r-- | scripts/vmauthd-brute.nse | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/scripts/vmauthd-brute.nse b/scripts/vmauthd-brute.nse new file mode 100644 index 0000000..cdaf705 --- /dev/null +++ b/scripts/vmauthd-brute.nse @@ -0,0 +1,121 @@ +local brute = require "brute" +local creds = require "creds" +local match = require "match" +local nmap = require "nmap" +local shortport = require "shortport" +local stdnse = require "stdnse" + +description = [[ +Performs brute force password auditing against the VMWare Authentication Daemon (vmware-authd). +]] + +--- +-- @usage +-- nmap -p 902 <ip> --script vmauthd-brute +-- +-- @output +-- PORT STATE SERVICE +-- 902/tcp open iss-realsecure +-- | vmauthd-brute: +-- | Accounts +-- | root:00000 - Valid credentials +-- | Statistics +-- |_ Performed 183 guesses in 40 seconds, average tps: 4 +-- + +author = "Patrik Karlsson" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"brute", "intrusive"} + + +portrule = shortport.port_or_service(902, {"ssl/vmware-auth", "vmware-auth"}, "tcp") + +local function fail(err) return stdnse.format_output(false, err) end +Driver = { + + new = function(self, host, port, options) + local o = { host = host, port = port } + setmetatable(o, self) + self.__index = self + return o + end, + + connect = function(self) + self.socket = brute.new_socket() + return self.socket:connect(self.host, self.port) + end, + + login = function(self, username, password) + local status, line = self.socket:receive_buf(match.pattern_limit("\r\n", 2048), false) + if ( line:match("^220 VMware Authentication Daemon.*SSL Required") ) then + self.socket:reconnect_ssl() + end + + status = self.socket:send( ("USER %s\r\n"):format(username) ) + if ( not(status) ) then + local err = brute.Error:new( "Failed to send data to server" ) + err:setRetry( true ) + return false, err + end + + local status, response = self.socket:receive_buf(match.pattern_limit("\r\n", 2048), false) + if ( not(status) or not(response:match("^331") ) ) then + local err = brute.Error:new( "Received unexpected response from server" ) + err:setRetry( true ) + return false, err + end + + status = self.socket:send( ("PASS %s\r\n"):format(password) ) + if ( not(status) ) then + local err = brute.Error:new( "Failed to send data to server" ) + err:setRetry( true ) + return false, err + end + status, response = self.socket:receive_buf(match.pattern_limit("\r\n", 2048), false) + + if ( response:match("^230") ) then + return true, creds.Account:new(username, password, creds.State.VALID) + end + + return false, brute.Error:new( "Login incorrect" ) + end, + + disconnect = function(self) + return self.socket:close() + end + +} + +local function checkAuthd(host, port) + local socket = nmap.new_socket() + local status = socket:connect(host, port) + + if( not(status) ) then + return false, "Failed to connect to server" + end + + local status, line = socket:receive_buf(match.pattern_limit("\r\n", 2048), false) + socket:close() + if ( not(status) ) then + return false, "Failed to receive response from server" + end + + if ( not( line:match("^220 VMware Authentication Daemon") ) ) then + return false, "Failed to detect VMWare Authentication Daemon" + end + return true +end + + +action = function(host, port) + local status, err = checkAuthd(host, port) + if ( not(status) ) then + return fail(err) + end + + local engine = brute.Engine:new(Driver, host, port) + engine.options.script_name = SCRIPT_NAME + local result + status, result = engine:start() + return result +end |