1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
local shortport = require "shortport"
local stdnse = require "stdnse"
local brute = require "brute"
local creds = require "creds"
local libssh2_util = require "libssh2-utility"
description = [[
Performs brute-force password guessing against ssh servers.
]]
---
-- @usage
-- nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst,ssh-brute.timeout=4s <target>
--
-- @output
-- 22/ssh open ssh
-- | ssh-brute:
-- | Accounts
-- | username:password
-- | Statistics
-- |_ Performed 32 guesses in 25 seconds.
--
-- @args ssh-brute.timeout Connection timeout (default: "5s")
author = "Devin Bjelland"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {
'brute',
'intrusive',
}
portrule = shortport.ssh
local arg_timeout = stdnse.get_script_args(SCRIPT_NAME .. ".timeout") or "5s"
Driver = {
new = function (self, host, port, options)
stdnse.debug(2, "creating brute driver")
local o = {
helper = libssh2_util.SSHConnection:new(),
}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
o.options = options
return o
end,
connect = function (self)
local status, err = self.helper:connect_pcall(self.host, self.port)
if not status then
stdnse.debug(2, "libssh2 error: %s", self.helper.session)
local err = brute.Error:new(self.helper.session)
err:setReduce(true)
return false, err
elseif not self.helper.session then
stdnse.debug(2, "failure to connect: %s", err)
local err = brute.Error:new(err)
err:setAbort(true)
return false, err
else
self.helper:set_timeout(self.options.ssh_timeout)
return true
end
end,
login = function (self, username, password)
stdnse.verbose(1, "Trying username/password pair: %s:%s", username, password)
local status, resp = self.helper:password_auth(username, password)
if status then
return true, creds.Account:new(username, password, creds.State.VALID)
end
return false, brute.Error:new "Incorrect password"
end,
disconnect = function (self)
return self.helper:disconnect()
end,
}
local function password_auth_allowed (host, port)
local helper = libssh2_util.SSHConnection:new()
if not helper:connect(host, port) then
return "Failed to connect to ssh server"
end
local methods = helper:list "root"
if methods then
for _, value in pairs(methods) do
if value == "password" then
return true
end
end
end
return false
end
function action (host, port)
local timems = stdnse.parse_timespec(arg_timeout) --todo: use this!
local ssh_timeout = 1000 * timems
if password_auth_allowed(host, port) then
local options = {
ssh_timeout = ssh_timeout,
}
local engine = brute.Engine:new(Driver, host, port, options)
engine.options.script_name = SCRIPT_NAME
local _, result = engine:start()
return result
else
return "Password authentication not allowed"
end
end
|
