scripts/http-brute.nse


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165

local brute = require "brute"
local creds = require "creds"
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local string = require "string"
local stdnse = require "stdnse"

description = [[
Performs brute force password auditing against http basic, digest and ntlm authentication.

This script uses the unpwdb and brute libraries to perform password
guessing. Any successful guesses are stored in the nmap registry, using
the creds library, for other scripts to use.
]]

---
-- @usage
-- nmap --script http-brute -p 80 <host>
--
-- @output
-- PORT     STATE SERVICE REASON
-- 80/tcp   open  http    syn-ack
-- | http-brute:
-- |   Accounts:
-- |     user:user - Valid credentials
-- |_  Statistics: Performed 123 guesses in 1 seconds, average tps: 123
--
--
-- @args http-brute.path points to the path protected by authentication (default: <code>/</code>)
-- @args http-brute.hostname sets the host header in case of virtual hosting
-- @args http-brute.method sets the HTTP method to use (default: <code>GET</code>)
--
-- @xmloutput
-- <table key="Accounts">
--   <table>
--     <elem key="state">Valid credentials</elem>
--     <elem key="username">user</elem>
--     <elem key="password">user</elem>
--   </table>
-- </table>
-- <elem key="Statistics">Performed 123 guesses in 1 seconds, average
-- tps: 123</elem>

--
-- Version 0.1
-- Created 07/30/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
-- Version 0.2
-- 07/26/2012 - v0.2 - added digest auth support (Piotr Olma)
-- Version 0.3
-- Created 06/20/2015 - added ntlm auth support (Gyanendra Mishra)


author = {"Patrik Karlsson", "Piotr Olma", "Gyanendra Mishra"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}


portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")

Driver = {

  new = function(self, host, port, opts)
    local o = {host=host, port=port, path=opts.path, method=opts.method, authmethod=opts.authmethod}
    setmetatable(o, self)
    self.__index = self
    o.hostname = stdnse.get_script_args("http-brute.hostname")
    return o
  end,

  connect = function( self )
    -- This will cause problems, as there is no way for us to "reserve"
    -- a socket. We may end up here early with a set of credentials
    -- which won't be guessed until the end, due to socket exhaustion.
    return true
  end,

  get_opts = function( self )
    -- we need to supply the no_cache directive, or else the http library
    -- incorrectly tells us that the authentication was successful
    local opts = {
      auth = { },
      no_cache = true,
      bypass_cache = true,
      header = {
        -- nil just means not set, so default http.lua behavior
        Host = self.hostname,
      }
    }
    if self.authmethod == "digest" then
      opts.auth.digest = true
    elseif self.authmethod == "ntlm" then
      opts.auth.ntlm = true
    end
    return opts
  end,

  login = function( self, username, password )
    local opts_table = self:get_opts()
    opts_table.auth.username = username
    opts_table.auth.password = password

    local response = http.generic_request( self.host, self.port, self.method, self.path, opts_table)

    if not response.status then
      local err = brute.Error:new(response["status-line"])
      err:setRetry(true)
      return false, err
    end

    -- Checking for ~= 401 *should* work to
    -- but gave me a number of false positives last time I tried.
    -- We decided to change it to ~= 4xx.
    if ( response.status < 400 or response.status > 499 ) then
      return true, creds.Account:new( username, password, creds.State.VALID)
    end
    return false, brute.Error:new( "Incorrect password" )
  end,

  disconnect = function( self )
    return true
  end,

  check = function( self )
    return true
  end,

}


action = function( host, port )
  local status, result
  local path = stdnse.get_script_args("http-brute.path") or "/"
  local method = string.upper(stdnse.get_script_args("http-brute.method") or "GET")

  if ( not(path) ) then
    return stdnse.format_output(false, "No path was specified (see http-brute.path)")
  end

  local response = http.generic_request( host, port, method, path, { no_cache = true } )

  if ( response.status ~= 401 ) then
    return ("  \n  Path \"%s\" does not require authentication"):format(path)
  end

  -- check if digest or ntlm auth is required
  local authmethod = "basic"
  local h = response.header['www-authenticate']
  if h then
    h = h:lower()
    if string.find(h, 'digest.-realm') then
      authmethod = "digest"
    end
    if string.find(h, 'ntlm') then
      authmethod = "ntlm"
    end
  end

  local engine = brute.Engine:new(Driver, host, port, {method=method, path=path, authmethod=authmethod})
  engine.options.script_name = SCRIPT_NAME

  status, result = engine:start()

  return result
end