Re: [NSE] new scripts and libraries: svn

[Patrik Karlsson <patrik () cqure net>]

On 18 aug 2010, at 19.29, David Fifield wrote:

> On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:
> >    x svn-brute - performs password guessing against subversion 
>
> I set up a repository to test this
>
> $ svnadmin create /home/david/repos
> $ svn import docs file:///home/david/repos/docs
> $ svnserve -d -r /home/david/repos
>
> The default svnserve.conf settings are
>
> [general]
> # anon-access = read
> # auth-access = write
> # password-db = passwd
> # authz-db = authz
>
> With this settings, the script doesn't find valid credentials (which
> makes sense) and then quits because of retries.

Well, it shouldn't quit as ugly and according to my testing now the above equals anonymous access.
This should be addressed now, the script should report:

Scanned at 2010-08-18 22:07:17 CEST for 0s
PORT     STATE SERVICE REASON
3690/tcp open  svn     syn-ack
| svn-brute:   
|_  Anonymous SVN detected, no authentication needed
Final times for host: srtt: 1211 rttvar: 3494  to: 100000


> $ ./nmap --datadir . --script svn-brute -p 3690 192.168.0.2 -Pn -n --script-args svn-brute.repo=docs
>
> Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-18 10:46 MDT
> Warning: File ./nmap-services exists, but Nmap is using /usr/share/nmap/nmap-services for security and consistency 
> reasons.  set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
> Nmap scan report for 192.168.0.2
> Host is up (0.00054s latency).
> PORT     STATE SERVICE
> 3690/tcp open  svn
> | svn-brute:
> |   Accounts
> |     No valid accounts found
> |   Statistics
> |     Perfomed 28240 guesses in 41 seconds, average tps: 695
> |
> |_  ERROR: Too many retries, aborted ...
>
> Nmap done: 1 IP address (1 host up) scanned in 41.92 seconds
>
> I get the same output after changing to
>
> [general]
> anon-access = write
> # auth-access = write
> # password-db = passwd
> # authz-db = authz

This should report the same result as above.

> I suggest that the script should report if anonymous reading or writing
> is allowed, if that's easy to test. 

I don't know, I need to research this a bit more.

> I then changed to this:
>
> [general]
> anon-access = read
> auth-access = write
> password-db = passwd
> # authz-db = authz
>
> passwd contains
>
> [users]
> root = 123456
>
> Running the same command, I get the same output. "Perfomed 28240 guesses
> in 44 seconds, average tps: 659. ERROR: Too many retries, aborted ..."

Again, this will report the same results as above as anonymous is supported.
However, the script can be forced to run using svn-brute.force

> Finally after changing to
>
> [general]
> anon-access = none
> auth-access = write
> password-db = passwd
> # authz-db = authz
>
> I get the output
>
> $ ./nmap --datadir . --script svn-brute -p 3690 192.168.0.2 -Pn -n --script-args svn-brute.repo=docs,brute.firstonly=1
>
> Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-18 11:19 MDT
> Nmap scan report for 192.168.0.2
> Host is up (0.0033s latency).
> PORT     STATE SERVICE
> 3690/tcp open  svn
> | svn-brute:
> |   Accounts
> |     root:123456 => Login correct
> |   Statistics
> |_    Perfomed 30 guesses in 1 seconds, average tps: 30
>
> Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
>
> Why does the anon-access setting affects whether the script works?

This was due to the match for authentication mechanism was made to late.

> I am also intrigued by this bit of code:
>
>                        if ( msg:match("Username not found") ) then
>                                return false, "Username not found"
>                        elseif ( msg:match("success") ) then
>                                return true, "Authentication success"
>                        else
>                                return false, "Authentication failed"
>                        end
>
> Does the protocol let you eliminate invalid user names without guessing
> passwords? (I mean, do you get a different response when guessing a
> nonexistent user name versus guessing the wrong password for an existent
> user name?) If so, we should take advantage of it.

We do now, it should have been so before as well but contained a bug.
However, when running the script it will still appear as if your guessing passwords against all accounts.
The reason for this is that the "Guessing ..." debug message is printed by the brute engine and the guess is cancelled 
by the driver.

> Please commit the script and make it report when anonymous access is
> allowed.

Done, it's commited as r19875.

Thanks for the thorough test, I should have done a better initial test, sorry for that.
Btw, is there a way to discover the repositories a specific service has by using the svn command?
If not, we could write a brute script for that to I guess.

> David Fifield


//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/