summaryrefslogtreecommitdiffstats
path: root/scripts/vmauthd-brute.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/vmauthd-brute.nse')
-rw-r--r--scripts/vmauthd-brute.nse121
1 files changed, 121 insertions, 0 deletions
diff --git a/scripts/vmauthd-brute.nse b/scripts/vmauthd-brute.nse
new file mode 100644
index 0000000..cdaf705
--- /dev/null
+++ b/scripts/vmauthd-brute.nse
@@ -0,0 +1,121 @@
+local brute = require "brute"
+local creds = require "creds"
+local match = require "match"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+
+description = [[
+Performs brute force password auditing against the VMWare Authentication Daemon (vmware-authd).
+]]
+
+---
+-- @usage
+-- nmap -p 902 <ip> --script vmauthd-brute
+--
+-- @output
+-- PORT STATE SERVICE
+-- 902/tcp open iss-realsecure
+-- | vmauthd-brute:
+-- | Accounts
+-- | root:00000 - Valid credentials
+-- | Statistics
+-- |_ Performed 183 guesses in 40 seconds, average tps: 4
+--
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"brute", "intrusive"}
+
+
+portrule = shortport.port_or_service(902, {"ssl/vmware-auth", "vmware-auth"}, "tcp")
+
+local function fail(err) return stdnse.format_output(false, err) end
+Driver = {
+
+ new = function(self, host, port, options)
+ local o = { host = host, port = port }
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ connect = function(self)
+ self.socket = brute.new_socket()
+ return self.socket:connect(self.host, self.port)
+ end,
+
+ login = function(self, username, password)
+ local status, line = self.socket:receive_buf(match.pattern_limit("\r\n", 2048), false)
+ if ( line:match("^220 VMware Authentication Daemon.*SSL Required") ) then
+ self.socket:reconnect_ssl()
+ end
+
+ status = self.socket:send( ("USER %s\r\n"):format(username) )
+ if ( not(status) ) then
+ local err = brute.Error:new( "Failed to send data to server" )
+ err:setRetry( true )
+ return false, err
+ end
+
+ local status, response = self.socket:receive_buf(match.pattern_limit("\r\n", 2048), false)
+ if ( not(status) or not(response:match("^331") ) ) then
+ local err = brute.Error:new( "Received unexpected response from server" )
+ err:setRetry( true )
+ return false, err
+ end
+
+ status = self.socket:send( ("PASS %s\r\n"):format(password) )
+ if ( not(status) ) then
+ local err = brute.Error:new( "Failed to send data to server" )
+ err:setRetry( true )
+ return false, err
+ end
+ status, response = self.socket:receive_buf(match.pattern_limit("\r\n", 2048), false)
+
+ if ( response:match("^230") ) then
+ return true, creds.Account:new(username, password, creds.State.VALID)
+ end
+
+ return false, brute.Error:new( "Login incorrect" )
+ end,
+
+ disconnect = function(self)
+ return self.socket:close()
+ end
+
+}
+
+local function checkAuthd(host, port)
+ local socket = nmap.new_socket()
+ local status = socket:connect(host, port)
+
+ if( not(status) ) then
+ return false, "Failed to connect to server"
+ end
+
+ local status, line = socket:receive_buf(match.pattern_limit("\r\n", 2048), false)
+ socket:close()
+ if ( not(status) ) then
+ return false, "Failed to receive response from server"
+ end
+
+ if ( not( line:match("^220 VMware Authentication Daemon") ) ) then
+ return false, "Failed to detect VMWare Authentication Daemon"
+ end
+ return true
+end
+
+
+action = function(host, port)
+ local status, err = checkAuthd(host, port)
+ if ( not(status) ) then
+ return fail(err)
+ end
+
+ local engine = brute.Engine:new(Driver, host, port)
+ engine.options.script_name = SCRIPT_NAME
+ local result
+ status, result = engine:start()
+ return result
+end