Nmap Development mailing list archives

Re: pgsql-brute

From: David Fifield <david () bamsoftware com>
Date: Thu, 4 Mar 2010 09:44:06 -0700

On Thu, Mar 04, 2010 at 04:46:21PM +0100, Patrik Karlsson wrote:

Hi David,

Thank's for testing! Please find my comments inline.

On 25 feb 2010, at 04.32, David Fifield wrote:

On Sun, Feb 21, 2010 at 02:59:18AM +0100, Patrik Karlsson wrote:

To create the user "test", as OS-user postgresql or equivalent do:
creatuser -P test


All right, thanks. I did that, added the scanning machine to
pg_hba.conf, and now I'm getting a different error:

NSE: Starting pgsql-brute against 192.168.0.190:5432.
NSE: Trying root/ ...
NSE: pgsql-brute against 192.168.0.190:5432 threw an error!
./nselib/pgsql.lua:424: bad argument #2 to 'unpack' (string expected, got nil)
stack traceback:
       [C]: in function 'unpack'
       ./nselib/pgsql.lua:424: in function 'decodeHeader'
       ./nselib/pgsql.lua:440: in function 'processResponse'
       ./nselib/pgsql.lua:488: in function 'loginRequest'
       ./scripts/pgsql-brute.nse:136: in function <./scripts/pgsql-brute.nse:64>
       (tail call): ?

The server is closing the connection after the versionprobe request, so
v3.readPacket is returning nil at line 400. Am I doing something wrong?
I attached a packet capture in case that helps. This is against version
8.4.2.


Ok, so I'm guessing you set up the authentication method as "trust"? This means that the server won't ask for the 
credentials to access the DB.
I wasn't handeling this properly, but I've fixed it now. If the trusted method is in use the script will report the 
user with no password as the admin user below:

PORT     STATE SERVICE
5432/tcp open  postgresql
| pgsql-brute:  
|   admin => Trusted authentication
|_  test:test => Login Correct

Depending on the server setup, specifically if database and user are set to "all", all users may come back as 
"trusted authentication".


You're right, that's what I did. Now I'm getting this output:

PORT     STATE SERVICE
5432/tcp open  postgresql
| pgsql-brute:
|   root:<empty> => Login Correct
|   admin:<empty> => Login Correct
|   administrator:<empty> => Login Correct
|   webadmin:<empty> => Login Correct
|   sysadmin:<empty> => Login Correct
|   netadmin:<empty> => Login Correct
|   guest:<empty> => Login Correct
|   user:<empty> => Login Correct
|   web:<empty> => Login Correct
|_  test:<empty> => Login Correct

That looks good; that's going to be a big red flag to anyone who's set
up the database insecurely as I did. It works like this if I set the
authentication method to "password" or "md5".

PORT     STATE SERVICE
5432/tcp open  postgresql
| pgsql-brute:
|_  test:monkey1 => Login Correct

That works whether or not a "test" database exists. If I set the method
to "reject" or "ident", the script seems to detect that it doesn't have
a chance and stops trying.

The library uses the openssl library without doing a require call; I'm
not sure if that will be a problem. Try running the script after
configuring Nmap --without-openssl and make sure it fails gracefully.


I've added a require line for openssl.


Okay. Running "nmap --script-updatedb" after configuring with
"--without-openssl" fails in mysql.lua and pgsql.lua with an error like
this:

NSE: error while updating Script Database:
[string "local nse = ......"]:17: ./nselib/pgsql.lua:22: module 'openssl' not found:
       no field package.preload['openssl']
       no file './openssl.lua'
       no file '/usr/local/share/lua/5.1/openssl.lua'
       no file '/usr/local/share/lua/5.1/openssl/init.lua'
       no file '/usr/local/lib/lua/5.1/openssl.lua'
       no file '/usr/local/lib/lua/5.1/openssl/init.lua'
       no file './nselib/openssl.lua'
       no file './openssl.so'
       no file '/usr/local/lib/lua/5.1/openssl.so'
       no file '/usr/local/lib/lua/5.1/loadall.so'
stack traceback:
       [C]: in function 'assert'
       [string "local nse = ......"]:17: in main chunk

Can you see if you can protect the module from being loaded when OpenSSL
isn't available, perhaps like the ssh-hostkey script does?


Ok, I've fixed this. While doing so I also came across the same
problem in my MySQL scripts. I've fixed them as well and I'll post the
diff in a separate thread to get any comments before commiting the
change.


Looks good here.

I'm attaching the new version of the library any pgsql-brute script:


You are good to commit these. Nice job!

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 06)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 17)
  - Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 20)
    - Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 24)
    - Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Mar 04)
    - Re: pgsql-brute David Fifield (Mar 04)
    - Re: pgsql-brute Patrik Karlsson (Mar 04)
    - Re: pgsql-brute David Fifield (Mar 04)
    - Re: pgsql-brute Patrik Karlsson (Mar 04)