summaryrefslogtreecommitdiffstats
path: root/scripts/drda-brute.nse
blob: 0427479d2b0deea0967d24864d73ac34a5d854f1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
local coroutine = require "coroutine"
local drda = require "drda"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local unpwdb = require "unpwdb"

description = [[
Performs password guessing against databases supporting the IBM DB2 protocol such as Informix, DB2 and Derby
]]

---
-- @args drda-brute.threads the amount of accounts to attempt to brute
-- force in parallel (default 10).
-- @args drda-brute.dbname the database name against which to guess
-- passwords (default <code>"SAMPLE"</code>).
--
-- @usage
-- nmap -p 50000 --script drda-brute <target>
--
-- @output
-- 50000/tcp open  drda
-- | drda-brute:
-- |_  db2admin:db2admin => Valid credentials

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories={"intrusive", "brute"}


-- Version 0.5
-- Created 05/08/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
-- Revised 05/09/2010 - v0.2 - re-wrote as multi-threaded <patrik@cqure.net>
-- Revised 05/10/2010 - v0.3 - revised parallelised design <patrik@cqure.net>
-- Revised 08/14/2010 - v0.4 - renamed script and library from db2* to drda* <patrik@cqure.net>
-- Revised 09/09/2011 - v0.5 - changed account status text to be more consistent with other *-brute scripts

portrule = shortport.port_or_service({50000,60000}, {"drda","ibm-db2"}, "tcp", {"open", "open|filtered"})

--- Credential iterator
--
-- @param usernames iterator from unpwdb
-- @param passwords iterator from unpwdb
-- @return username string
-- @return password string
local function new_usrpwd_iterator (usernames, passwords)
  local function next_username_password ()
    for username in usernames do
      for password in passwords do
        coroutine.yield(username, password)
      end
      passwords("reset")
    end
    while true do coroutine.yield(nil, nil) end
  end
  return coroutine.wrap(next_username_password)
end

--- Iterates over the password list and guesses passwords
--
-- @param host table with information as received by <code>action</code>
-- @param port table with information as received by <code>action</code>
-- @param database string containing the database name
-- @param creds an iterator producing username, password pairs
-- @param valid_accounts table in which to store found accounts
doLogin = function( host, port, database, creds, valid_accounts )
  local helper, status, response, passwords
  local condvar = nmap.condvar( valid_accounts )

  for username, password in creds do
    -- Checks if a password was already discovered for this account
    if ( nmap.registry.db2users == nil or nmap.registry.db2users[username] == nil ) then
      helper = drda.Helper:new()
      helper:connect( host, port )
      stdnse.debug1( "Trying %s/%s against %s...", username, password, host.ip )
      status, response = helper:login( database, username, password )
      helper:close()

      if ( status ) then
        -- Add credentials for future drda scripts to use
        if nmap.registry.db2users == nil then
          nmap.registry.db2users = {}
        end
        nmap.registry.db2users[username]=password
        table.insert( valid_accounts, string.format("%s:%s => Valid credentials", username, password:len()>0 and password or "<empty>" ) )
      end
    end
  end
  condvar("broadcast")
end

--- Checks if the supplied database exists
--
-- @param host table with information as received by <code>action</code>
-- @param port table with information as received by <code>action</code>
-- @param database string containing the database name
-- @return status true on success, false on failure
isValidDb = function( host, port, database )
  local status, response
  local helper = drda.Helper:new()

  helper:connect( host, port )
  -- Authenticate with a static probe account to see if the db is valid
  status, response = helper:login( database, "dbnameprobe1234", "dbnameprobe1234" )
  helper:close()

  if ( not(status) and response:match("Login failed") ) then
    return true
  end
  return false
end

--- Returns the amount of currently active threads
--
-- @param threads table containing the list of threads
-- @return count number containing the number of non-dead threads
threadCount = function( threads )
  local count = 0

  for thread in pairs(threads) do
    if ( coroutine.status(thread) == "dead" ) then
      threads[thread] = nil
    else
      count = count + 1
    end
  end
  return count
end

action = function( host, port )

  local result, response, status = {}, nil, nil
  local valid_accounts, threads = {}, {}
  local usernames, passwords, creds
  local database = stdnse.get_script_args('drda-brute.dbname') or "SAMPLE"
  local condvar = nmap.condvar( valid_accounts )
  local max_threads = tonumber( stdnse.get_script_args('drda-brute.threads') ) or 10

  -- Check if the DB specified is valid
  if( not(isValidDb(host, port, database)) ) then
    return ("The databases %s was not found. (Use --script-args drda-brute.dbname=<dbname> to specify database)"):format(database)
  end

  status, usernames = unpwdb.usernames()
  if ( not(status) ) then
    return "Failed to load usernames"
  end

  -- make sure we have a valid pw file
  status, passwords = unpwdb.passwords()
  if ( not(status) ) then
    return "Failed to load passwords"
  end

  creds = new_usrpwd_iterator( usernames, passwords )

  stdnse.debug1("Starting brute force with %d threads", max_threads )

  for i=1,max_threads do
    local co = stdnse.new_thread( doLogin, host, port, database, creds, valid_accounts )
    threads[co] = true
  end

  -- wait for all threads to finish running
  while threadCount(threads)>0 do
    condvar("wait")
  end

  return stdnse.format_output(true, valid_accounts)

end