Nmap Development mailing list archives
Re: pgsql-brute and PostgreSQL match lines
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 21 Feb 2010 02:59:18 +0100
On 17 feb 2010, at 18.51, David Fifield wrote:
On Sat, Feb 06, 2010 at 11:51:39PM +0100, Patrik Karlsson wrote:Hi all, I just finished pgsql-brute.nse, a script that allows password guessing against PostgreSQL servers and the supporting pgsql.lua library used for both version 2 and 3 of the protocol.Thanks, Patrik. I've given it a look. It would be nice if the library could automatically detect the version of the protocol, with an option to unconditionally override it. Otherwise detectVersion is going to be copied into every script.
I've moved detectVersion to the pgsql library. It returns the either the v3 or v2 class depending on what it detects.
Is this intentional? (The use of username as both user name and database name.)
Yes, have a look at the following link for an explanation, specifically "A convenient choice is to create a database with the same name as your current user name. Many tools assume that database name as the default, so it can save you some typing.". Based on how the code currently works, the database does not need to exist in order to correctly identify a successful login. http://www.postgresql.org/docs/8.0/interactive/tutorial-createdb.html
status, response = v.sendStartup(socket, username, username) I'm getting log messages like this: FATAL: unsupported frontend protocol 65363.19778: server supports 1.0 to 3.0 FATAL: no pg_hba.conf entry for host "192.168.0.21", user "versionprobe", database "versionprobe", SSL off FATAL: no pg_hba.conf entry for host "192.168.0.21", user "root", database "root", SSL off FATAL: no pg_hba.conf entry for host "192.168.0.21", user "root", database "root", SSL off FATAL: no pg_hba.conf entry for host "192.168.0.21", user "admin", database "admin", SSL off FATAL: no pg_hba.conf entry for host "192.168.0.21", user "admin", database "admin", SSL off Even if the above code is a bug, I don't know why each user name would be used only twice. It seems like it would be used as many times as there are passwords.
This is correct behavior, or at least almost. The script first attempt to connect using SSL then without as SSL can be explicitly denied in pg_hba.conf. However, if the response contains "no pg_hba.conf entry for host" there is no entry in the file so authentication won't succeed. The script now correctly identifies this and moves on to the next username.
You've got a little copy-paste error in a comment: -- Add credentials for other mysql scripts to use
Fixed.
Can you tell me what lines to add to a configuration file to make a dummy account for testing the script?
To create the user "test", as OS-user postgresql or equivalent do: creatuser -P test
The library looks pretty good. Please provide a documentation reference for this magic packet: local data = bin.pack( ">I>I", 8, 80877103)
I have clarified the magic packet.
The library uses the openssl library without doing a require call; I'm not sure if that will be a problem. Try running the script after configuring Nmap --without-openssl and make sure it fails gracefully.
I've added a require line for openssl.
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
I'm attaching the new versions:
Attachment:
pgsql-brute.nse
Description:
Attachment:
pgsql.lua
Description:
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 06)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 17)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 20)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 24)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Mar 04)
- Re: pgsql-brute David Fifield (Mar 04)
- Re: pgsql-brute Patrik Karlsson (Mar 04)
- Re: pgsql-brute David Fifield (Mar 04)
- Re: pgsql-brute Patrik Karlsson (Mar 04)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 20)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 17)