Nmap Development mailing list archives
Re: pgsql-brute
From: David Fifield <david () bamsoftware com>
Date: Thu, 4 Mar 2010 09:44:06 -0700
On Thu, Mar 04, 2010 at 04:46:21PM +0100, Patrik Karlsson wrote:
Hi David, Thank's for testing! Please find my comments inline. On 25 feb 2010, at 04.32, David Fifield wrote:On Sun, Feb 21, 2010 at 02:59:18AM +0100, Patrik Karlsson wrote:To create the user "test", as OS-user postgresql or equivalent do: creatuser -P testAll right, thanks. I did that, added the scanning machine to pg_hba.conf, and now I'm getting a different error: NSE: Starting pgsql-brute against 192.168.0.190:5432. NSE: Trying root/ ... NSE: pgsql-brute against 192.168.0.190:5432 threw an error! ./nselib/pgsql.lua:424: bad argument #2 to 'unpack' (string expected, got nil) stack traceback: [C]: in function 'unpack' ./nselib/pgsql.lua:424: in function 'decodeHeader' ./nselib/pgsql.lua:440: in function 'processResponse' ./nselib/pgsql.lua:488: in function 'loginRequest' ./scripts/pgsql-brute.nse:136: in function <./scripts/pgsql-brute.nse:64> (tail call): ? The server is closing the connection after the versionprobe request, so v3.readPacket is returning nil at line 400. Am I doing something wrong? I attached a packet capture in case that helps. This is against version 8.4.2.Ok, so I'm guessing you set up the authentication method as "trust"? This means that the server won't ask for the credentials to access the DB. I wasn't handeling this properly, but I've fixed it now. If the trusted method is in use the script will report the user with no password as the admin user below: PORT STATE SERVICE 5432/tcp open postgresql | pgsql-brute: | admin => Trusted authentication |_ test:test => Login Correct Depending on the server setup, specifically if database and user are set to "all", all users may come back as "trusted authentication".
You're right, that's what I did. Now I'm getting this output: PORT STATE SERVICE 5432/tcp open postgresql | pgsql-brute: | root:<empty> => Login Correct | admin:<empty> => Login Correct | administrator:<empty> => Login Correct | webadmin:<empty> => Login Correct | sysadmin:<empty> => Login Correct | netadmin:<empty> => Login Correct | guest:<empty> => Login Correct | user:<empty> => Login Correct | web:<empty> => Login Correct |_ test:<empty> => Login Correct That looks good; that's going to be a big red flag to anyone who's set up the database insecurely as I did. It works like this if I set the authentication method to "password" or "md5". PORT STATE SERVICE 5432/tcp open postgresql | pgsql-brute: |_ test:monkey1 => Login Correct That works whether or not a "test" database exists. If I set the method to "reject" or "ident", the script seems to detect that it doesn't have a chance and stops trying.
The library uses the openssl library without doing a require call; I'm not sure if that will be a problem. Try running the script after configuring Nmap --without-openssl and make sure it fails gracefully.I've added a require line for openssl.Okay. Running "nmap --script-updatedb" after configuring with "--without-openssl" fails in mysql.lua and pgsql.lua with an error like this: NSE: error while updating Script Database: [string "local nse = ......"]:17: ./nselib/pgsql.lua:22: module 'openssl' not found: no field package.preload['openssl'] no file './openssl.lua' no file '/usr/local/share/lua/5.1/openssl.lua' no file '/usr/local/share/lua/5.1/openssl/init.lua' no file '/usr/local/lib/lua/5.1/openssl.lua' no file '/usr/local/lib/lua/5.1/openssl/init.lua' no file './nselib/openssl.lua' no file './openssl.so' no file '/usr/local/lib/lua/5.1/openssl.so' no file '/usr/local/lib/lua/5.1/loadall.so' stack traceback: [C]: in function 'assert' [string "local nse = ......"]:17: in main chunk Can you see if you can protect the module from being loaded when OpenSSL isn't available, perhaps like the ssh-hostkey script does?Ok, I've fixed this. While doing so I also came across the same problem in my MySQL scripts. I've fixed them as well and I'll post the diff in a separate thread to get any comments before commiting the change.
Looks good here.
I'm attaching the new version of the library any pgsql-brute script:
You are good to commit these. Nice job! David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 06)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 17)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 20)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 24)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Mar 04)
- Re: pgsql-brute David Fifield (Mar 04)
- Re: pgsql-brute Patrik Karlsson (Mar 04)
- Re: pgsql-brute David Fifield (Mar 04)
- Re: pgsql-brute Patrik Karlsson (Mar 04)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 20)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 17)