Nmap Development mailing list archives

pgsql-brute and PostgreSQL match lines

From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 6 Feb 2010 23:51:39 +0100

Hi all,

I just finished pgsql-brute.nse, a script that allows password guessing against PostgreSQL servers and the supporting 
pgsql.lua library used for both version 2 and 3 of the protocol.

While developing the script I also noticed that the fingerprinting of PostgreSQL running version 3 of the protocol 
could be improved a lot as error messages contains the file in which the error occurred and the line number. Currently, 
the SMBProgNeg probe triggers the error "Unsupported frontend protocol" with this information, but a to generic match 
always returns "PostgreSQL DB". Yesterday I therefore started installing quite a few virtual machines in order to pull 
the error messages of from a number of different PostgreSQL DB versions. Half way through it, HD Moore announced this 
on Twitter: http://blog.metasploit.com/2010/02/postgres-fingerprinting.html

Well, what are the odds? Anyway, I've looked at the code and that plugin is basing it's matching on the error message 
returned by an incorrect login. I suppose this is possible now with the new library, and could benefit from the 
fingerprinting already done, but it's more intrusive and requires a version script (as more than one packet is sent) 
rather than the the use of the existing SMBProgNeg probe.

I've collected fingerprints from the following versions and so far they've all returned a different line number for the 
same error message:
- PostgreSQL 8.0.21 - FreeBSD
- PostgreSQL 8.1.17 - FreeBSD
- PostgreSQL 8.2.13 - FreeBSD
- PostgreSQL 8.3.7 - FreeBSD
- PostgreSQL 8.4.0 - FreeBSD
- PostgreSQL 8.4.2 - Linux
- PostgreSQL 8.4.2 - Windows

The attached patch adds those fingerprints and kills the generic wide match that prevents this detailed matching from 
being done. The matches currently match the whole server response rather than the file name and line number, but the 
error packet is static enough I believe. Have a look under ErrorResponse here for more details: 
http://developer.postgresql.org/pgdocs/postgres/protocol-message-formats.html

//Patrik

--
Patrik Karlsson
http://www.cqure.net

Attachment: pgsql.lua
Description:

Attachment: postgresql-matches.patch
Description:

Attachment: pgsql-brute.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 06)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 17)
  - Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 20)
    - Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 24)
    - Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Mar 04)
    - Re: pgsql-brute David Fifield (Mar 04)
    - Re: pgsql-brute Patrik Karlsson (Mar 04)
    - Re: pgsql-brute David Fifield (Mar 04)
    - Re: pgsql-brute Patrik Karlsson (Mar 04)