Nmap Development mailing list archives
Re: [NSE] new scripts and libraries: svn
From: David Fifield <david () bamsoftware com>
Date: Wed, 18 Aug 2010 11:29:00 -0600
On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:
x svn-brute - performs password guessing against subversion
I set up a repository to test this $ svnadmin create /home/david/repos $ svn import docs file:///home/david/repos/docs $ svnserve -d -r /home/david/repos The default svnserve.conf settings are [general] # anon-access = read # auth-access = write # password-db = passwd # authz-db = authz With this settings, the script doesn't find valid credentials (which makes sense) and then quits because of retries. $ ./nmap --datadir . --script svn-brute -p 3690 192.168.0.2 -Pn -n --script-args svn-brute.repo=docs Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-18 10:46 MDT Warning: File ./nmap-services exists, but Nmap is using /usr/share/nmap/nmap-services for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). Nmap scan report for 192.168.0.2 Host is up (0.00054s latency). PORT STATE SERVICE 3690/tcp open svn | svn-brute: | Accounts | No valid accounts found | Statistics | Perfomed 28240 guesses in 41 seconds, average tps: 695 | |_ ERROR: Too many retries, aborted ... Nmap done: 1 IP address (1 host up) scanned in 41.92 seconds I get the same output after changing to [general] anon-access = write # auth-access = write # password-db = passwd # authz-db = authz I suggest that the script should report if anonymous reading or writing is allowed, if that's easy to test. I then changed to this: [general] anon-access = read auth-access = write password-db = passwd # authz-db = authz passwd contains [users] root = 123456 Running the same command, I get the same output. "Perfomed 28240 guesses in 44 seconds, average tps: 659. ERROR: Too many retries, aborted ..." Finally after changing to [general] anon-access = none auth-access = write password-db = passwd # authz-db = authz I get the output $ ./nmap --datadir . --script svn-brute -p 3690 192.168.0.2 -Pn -n --script-args svn-brute.repo=docs,brute.firstonly=1 Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-18 11:19 MDT Nmap scan report for 192.168.0.2 Host is up (0.0033s latency). PORT STATE SERVICE 3690/tcp open svn | svn-brute: | Accounts | root:123456 => Login correct | Statistics |_ Perfomed 30 guesses in 1 seconds, average tps: 30 Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds Why does the anon-access setting affects whether the script works? I am also intrigued by this bit of code: if ( msg:match("Username not found") ) then return false, "Username not found" elseif ( msg:match("success") ) then return true, "Authentication success" else return false, "Authentication failed" end Does the protocol let you eliminate invalid user names without guessing passwords? (I mean, do you get a different response when guessing a nonexistent user name versus guessing the wrong password for an existent user name?) If so, we should take advantage of it. Please commit the script and make it report when anonymous access is allowed. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] new scripts and libraries: brute library, (continued)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 21)
- Re: [NSE] new scripts and libraries: vnc David Fifield (Aug 11)
- Re: [NSE] new scripts and libraries: vnc Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: vnc Henri Salo (Aug 14)
- Re: [NSE] new scripts and libraries: vnc Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: vnc Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: http David Fifield (Aug 12)
- Re: [NSE] new scripts and libraries: http Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: http David Fifield (Sep 06)
- Message not available
- Re: [NSE] new scripts and libraries: http DePriest, Jason R. (Sep 06)
- Re: [NSE] new scripts and libraries: http David Fifield (Sep 06)
- Re: [NSE] new scripts and libraries: http Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
- Re: [NSE] new scripts and libraries: svn David Fifield (Aug 18)
- Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
- Re: [NSE] new scripts and libraries: svn Patrick Donnelly (Aug 19)
- Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: svn David Fifield (Aug 19)
- Re: [NSE] new scripts and libraries: domino, informix, oracle, giop Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: domino, informix, oracle, giop David Fifield (Aug 20)