1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
local brute = require "brute"
local coroutine = require "coroutine"
local creds = require "creds"
local shortport = require "shortport"
local stdnse = require "stdnse"
local xmpp = require "xmpp"
description = [[
Performs brute force password auditing against XMPP (Jabber) instant messaging servers.
]]
---
-- @usage
-- nmap -p 5222 --script xmpp-brute <host>
--
-- @output
-- PORT STATE SERVICE
-- 5222/tcp open xmpp-client
-- | xmpp-brute:
-- | Accounts
-- | CampbellJ:arthur321 - Valid credentials
-- | CampbellA:joan123 - Valid credentials
-- | WalkerA:auggie123 - Valid credentials
-- | Statistics
-- |_ Performed 6237 guesses in 5 seconds, average tps: 1247
--
-- @args xmpp-brute.auth authentication mechanism to use LOGIN, PLAIN, CRAM-MD5
-- or DIGEST-MD5
-- @args xmpp-brute.servername needed when host name cannot be automatically
-- determined (eg. when running against an IP,
-- instead of hostname)
--
-- Version 0.1
-- Created 07/21/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"brute", "intrusive"}
portrule = shortport.port_or_service(5222, {"jabber", "xmpp-client"})
local mech
ConnectionPool = {}
Driver =
{
-- Creates a new driver instance
-- @param host table as received by the action method
-- @param port table as received by the action method
-- @param pool an instance of the ConnectionPool
new = function(self, host, port, options )
local o = { host = host, port = port, options = options }
setmetatable(o, self)
self.__index = self
return o
end,
-- Connects to the server (retrieves a connection from the pool)
connect = function( self )
self.helper = ConnectionPool[coroutine.running()]
if ( not(self.helper) ) then
self.helper = xmpp.Helper:new( self.host, self.port, self.options )
local status, err = self.helper:connect(brute.new_socket())
if ( not(status) ) then return false, err end
ConnectionPool[coroutine.running()] = self.helper
end
return true
end,
-- Attempts to login to the server
-- @param username string containing the username
-- @param password string containing the password
-- @return status true on success, false on failure
-- @return brute.Error on failure and creds.Account on success
login = function( self, username, password )
local status, err = self.helper:login( username, password, mech )
if ( status ) then
self.helper:close()
self.helper:connect()
return true, creds.Account:new(username, password, creds.State.VALID)
end
if ( err:match("^ERROR: Failed to .* data$") ) then
self.helper:close()
self.helper:connect()
local err = brute.Error:new( err )
-- This might be temporary, set the retry flag
err:setRetry( true )
return false, err
end
return false, brute.Error:new( "Incorrect password" )
end,
-- Disconnects from the server (release the connection object back to
-- the pool)
disconnect = function( self )
return true
end,
}
local function fail(err) return stdnse.format_output(false, err) end
action = function(host, port)
local options = { servername = stdnse.get_script_args("xmpp-brute.servername") }
local helper = xmpp.Helper:new(host, port, options)
local status, err = helper:connect()
if ( not(status) ) then
return fail("Failed to connect to XMPP server")
end
local mechs = helper:getAuthMechs()
if ( not(mechs) ) then
return fail("Failed to retrieve authentication mechs from XMPP server")
end
local mech_prio = stdnse.get_script_args("xmpp-brute.auth")
mech_prio = ( mech_prio and { mech_prio } ) or { "PLAIN", "LOGIN", "CRAM-MD5", "DIGEST-MD5"}
for _, mp in ipairs(mech_prio) do
for m, _ in pairs(mechs) do
if ( mp == m ) then mech = m; break end
end
if ( mech ) then break end
end
if ( not(mech) ) then
return fail("Failed to find suitable authentication mechanism")
end
local engine = brute.Engine:new(Driver, host, port, options)
engine.options.script_name = SCRIPT_NAME
local result
status, result = engine:start()
return result
end
|