Re: pgsql-brute and PostgreSQL match lines

[Patrik Karlsson <patrik () cqure net>]

On 17 feb 2010, at 18.51, David Fifield wrote:

> On Sat, Feb 06, 2010 at 11:51:39PM +0100, Patrik Karlsson wrote:
> > Hi all,
> >
> > I just finished pgsql-brute.nse, a script that allows password
> > guessing against PostgreSQL servers and the supporting pgsql.lua
> > library used for both version 2 and 3 of the protocol.
>
> Thanks, Patrik. I've given it a look.
>
> It would be nice if the library could automatically detect the version
> of the protocol, with an option to unconditionally override it.
> Otherwise detectVersion is going to be copied into every script.
I've moved detectVersion to the pgsql library. It returns the either the v3 or v2 class depending on what it detects.

> Is this intentional? (The use of username as both user name and
> database name.)
Yes, have a look at the following link for an explanation, specifically "A convenient choice is to create a database 
with the same name as your current user name. Many tools assume that database name as the default, so it can save you 
some typing.". Based on how the code currently works, the database does not need to exist in order to correctly 
identify a successful login.
http://www.postgresql.org/docs/8.0/interactive/tutorial-createdb.html

> status, response = v.sendStartup(socket, username, username)
>
> I'm getting log messages like this:
>
> FATAL:  unsupported frontend protocol 65363.19778: server supports 1.0 to 3.0
> FATAL:  no pg_hba.conf entry for host "192.168.0.21", user "versionprobe", database "versionprobe", SSL off
> FATAL:  no pg_hba.conf entry for host "192.168.0.21", user "root", database "root", SSL off
> FATAL:  no pg_hba.conf entry for host "192.168.0.21", user "root", database "root", SSL off
> FATAL:  no pg_hba.conf entry for host "192.168.0.21", user "admin", database "admin", SSL off
> FATAL:  no pg_hba.conf entry for host "192.168.0.21", user "admin", database "admin", SSL off
>
> Even if the above code is a bug, I don't know why each user name would
> be used only twice. It seems like it would be used as many times as
> there are passwords.
This is correct behavior, or at least almost.  The script first attempt to connect using SSL then without as SSL can be 
explicitly denied in pg_hba.conf.
However, if the response contains "no pg_hba.conf entry for host" there is no entry in the file so authentication won't 
succeed.
The script now correctly identifies this and moves on to the next username.

> You've got a little copy-paste error in a comment:
>       -- Add credentials for other mysql scripts to use

Fixed.

> Can you tell me what lines to add to a configuration file to make a
> dummy account for testing the script?

To create the user "test", as OS-user postgresql or equivalent do:
creatuser -P test


> The library looks pretty good. Please provide a documentation reference
> for this magic packet:
>        local data = bin.pack( ">I>I", 8, 80877103)
I have clarified the magic packet.

> The library uses the openssl library without doing a require call; I'm
> not sure if that will be a problem. Try running the script after
> configuring Nmap --without-openssl and make sure it fails gracefully.
I've added a require line for openssl.

> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


I'm attaching the new versions:

Attachment: pgsql-brute.nse
Description:

Attachment: pgsql.lua
Description:

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/