Nmap Development mailing list archives
Re: pgsql-brute and PostgreSQL match lines
From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 4 Mar 2010 16:46:21 +0100
Hi David, Thank's for testing! Please find my comments inline. On 25 feb 2010, at 04.32, David Fifield wrote:
On Sun, Feb 21, 2010 at 02:59:18AM +0100, Patrik Karlsson wrote:On 17 feb 2010, at 18.51, David Fifield wrote:Is this intentional? (The use of username as both user name and database name.)Yes, have a look at the following link for an explanation, specifically "A convenient choice is to create a database with the same name as your current user name. Many tools assume that database name as the default, so it can save you some typing.". Based on how the code currently works, the database does not need to exist in order to correctly identify a successful login. http://www.postgresql.org/docs/8.0/interactive/tutorial-createdb.htmlOkay, thanks.
No problem.
status, response = v.sendStartup(socket, username, username) I'm getting log messages like this: FATAL: unsupported frontend protocol 65363.19778: server supports 1.0 to 3.0 FATAL: no pg_hba.conf entry for host "192.168.0.21", user "versionprobe", database "versionprobe", SSL off FATAL: no pg_hba.conf entry for host "192.168.0.21", user "root", database "root", SSL off FATAL: no pg_hba.conf entry for host "192.168.0.21", user "root", database "root", SSL off FATAL: no pg_hba.conf entry for host "192.168.0.21", user "admin", database "admin", SSL off FATAL: no pg_hba.conf entry for host "192.168.0.21", user "admin", database "admin", SSL off Even if the above code is a bug, I don't know why each user name would be used only twice. It seems like it would be used as many times as there are passwords.This is correct behavior, or at least almost. The script first attempt to connect using SSL then without as SSL can be explicitly denied in pg_hba.conf. However, if the response contains "no pg_hba.conf entry for host" there is no entry in the file so authentication won't succeed. The script now correctly identifies this and moves on to the next username.Ah, I see now. Checking for this and bailing out early is a good idea too. DEBUG: forked new backend, pid=33800 socket=6 LOG: connection received: host=192.168.0.21 port=46373 LOG: could not receive data from client: Connection reset by peer LOG: incomplete startup packet DEBUG: server process (PID 33800) exited with exit code 0 DEBUG: forked new backend, pid=33801 socket=6 LOG: connection received: host=192.168.0.21 port=46374 LOG: connection authorized: user=versionprobe database=versionprobe FATAL: database "versionprobe" does not exist DEBUG: server process (PID 33801) exited with exit code 1 DEBUG: forked new backend, pid=33802 socket=6 LOG: connection received: host=192.168.0.21 port=46375 LOG: connection authorized: user=root database=root FATAL: database "root" does not exist DEBUG: server process (PID 33802) exited with exit code 1Can you tell me what lines to add to a configuration file to make a dummy account for testing the script?To create the user "test", as OS-user postgresql or equivalent do: creatuser -P testAll right, thanks. I did that, added the scanning machine to pg_hba.conf, and now I'm getting a different error: NSE: Starting pgsql-brute against 192.168.0.190:5432. NSE: Trying root/ ... NSE: pgsql-brute against 192.168.0.190:5432 threw an error! ./nselib/pgsql.lua:424: bad argument #2 to 'unpack' (string expected, got nil) stack traceback: [C]: in function 'unpack' ./nselib/pgsql.lua:424: in function 'decodeHeader' ./nselib/pgsql.lua:440: in function 'processResponse' ./nselib/pgsql.lua:488: in function 'loginRequest' ./scripts/pgsql-brute.nse:136: in function <./scripts/pgsql-brute.nse:64> (tail call): ? The server is closing the connection after the versionprobe request, so v3.readPacket is returning nil at line 400. Am I doing something wrong? I attached a packet capture in case that helps. This is against version 8.4.2.
Ok, so I'm guessing you set up the authentication method as "trust"? This means that the server won't ask for the credentials to access the DB. I wasn't handeling this properly, but I've fixed it now. If the trusted method is in use the script will report the user with no password as the admin user below: PORT STATE SERVICE 5432/tcp open postgresql | pgsql-brute: | admin => Trusted authentication |_ test:test => Login Correct Depending on the server setup, specifically if database and user are set to "all", all users may come back as "trusted authentication".
The library uses the openssl library without doing a require call; I'm not sure if that will be a problem. Try running the script after configuring Nmap --without-openssl and make sure it fails gracefully.I've added a require line for openssl.Okay. Running "nmap --script-updatedb" after configuring with "--without-openssl" fails in mysql.lua and pgsql.lua with an error like this: NSE: error while updating Script Database: [string "local nse = ......"]:17: ./nselib/pgsql.lua:22: module 'openssl' not found: no field package.preload['openssl'] no file './openssl.lua' no file '/usr/local/share/lua/5.1/openssl.lua' no file '/usr/local/share/lua/5.1/openssl/init.lua' no file '/usr/local/lib/lua/5.1/openssl.lua' no file '/usr/local/lib/lua/5.1/openssl/init.lua' no file './nselib/openssl.lua' no file './openssl.so' no file '/usr/local/lib/lua/5.1/openssl.so' no file '/usr/local/lib/lua/5.1/loadall.so' stack traceback: [C]: in function 'assert' [string "local nse = ......"]:17: in main chunk Can you see if you can protect the module from being loaded when OpenSSL isn't available, perhaps like the ssh-hostkey script does?
Ok, I've fixed this. While doing so I also came across the same problem in my MySQL scripts. I've fixed them as well and I'll post the diff in a separate thread to get any comments before commiting the change. I'm attaching the new version of the library any pgsql-brute script:
Attachment:
pgsql-brute.nse
Description:
Attachment:
pgsql.lua
Description:
David Fifield <pgsql-brute.pcap>_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 06)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 17)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 20)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 24)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Mar 04)
- Re: pgsql-brute David Fifield (Mar 04)
- Re: pgsql-brute Patrik Karlsson (Mar 04)
- Re: pgsql-brute David Fifield (Mar 04)
- Re: pgsql-brute Patrik Karlsson (Mar 04)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 20)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 17)