Re: [NSE] new scripts and libraries: svn

[David Fifield <david () bamsoftware com>]

On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:
>     x svn-brute - performs password guessing against subversion 

I set up a repository to test this

$ svnadmin create /home/david/repos
$ svn import docs file:///home/david/repos/docs
$ svnserve -d -r /home/david/repos

The default svnserve.conf settings are

[general]
# anon-access = read
# auth-access = write
# password-db = passwd
# authz-db = authz

With this settings, the script doesn't find valid credentials (which
makes sense) and then quits because of retries.

$ ./nmap --datadir . --script svn-brute -p 3690 192.168.0.2 -Pn -n --script-args svn-brute.repo=docs

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-18 10:46 MDT
Warning: File ./nmap-services exists, but Nmap is using /usr/share/nmap/nmap-services for security and consistency 
reasons.  set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Nmap scan report for 192.168.0.2
Host is up (0.00054s latency).
PORT     STATE SERVICE
3690/tcp open  svn
| svn-brute:
|   Accounts
|     No valid accounts found
|   Statistics
|     Perfomed 28240 guesses in 41 seconds, average tps: 695
|
|_  ERROR: Too many retries, aborted ...

Nmap done: 1 IP address (1 host up) scanned in 41.92 seconds

I get the same output after changing to

[general]
anon-access = write
# auth-access = write
# password-db = passwd
# authz-db = authz

I suggest that the script should report if anonymous reading or writing
is allowed, if that's easy to test. I then changed to this:

[general]
anon-access = read
auth-access = write
password-db = passwd
# authz-db = authz

passwd contains

[users]
root = 123456

Running the same command, I get the same output. "Perfomed 28240 guesses
in 44 seconds, average tps: 659. ERROR: Too many retries, aborted ..."

Finally after changing to

[general]
anon-access = none
auth-access = write
password-db = passwd
# authz-db = authz

I get the output

$ ./nmap --datadir . --script svn-brute -p 3690 192.168.0.2 -Pn -n --script-args svn-brute.repo=docs,brute.firstonly=1

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-18 11:19 MDT
Nmap scan report for 192.168.0.2
Host is up (0.0033s latency).
PORT     STATE SERVICE
3690/tcp open  svn
| svn-brute:
|   Accounts
|     root:123456 => Login correct
|   Statistics
|_    Perfomed 30 guesses in 1 seconds, average tps: 30

Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

Why does the anon-access setting affects whether the script works?

I am also intrigued by this bit of code:

                        if ( msg:match("Username not found") ) then
                                return false, "Username not found"
                        elseif ( msg:match("success") ) then
                                return true, "Authentication success"
                        else
                                return false, "Authentication failed"
                        end

Does the protocol let you eliminate invalid user names without guessing
passwords? (I mean, do you get a different response when guessing a
nonexistent user name versus guessing the wrong password for an existent
user name?) If so, we should take advantage of it.

Please commit the script and make it report when anonymous access is
allowed.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/