Nmap Development mailing list archives
pgsql-brute and PostgreSQL match lines
From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 6 Feb 2010 23:51:39 +0100
Hi all, I just finished pgsql-brute.nse, a script that allows password guessing against PostgreSQL servers and the supporting pgsql.lua library used for both version 2 and 3 of the protocol. While developing the script I also noticed that the fingerprinting of PostgreSQL running version 3 of the protocol could be improved a lot as error messages contains the file in which the error occurred and the line number. Currently, the SMBProgNeg probe triggers the error "Unsupported frontend protocol" with this information, but a to generic match always returns "PostgreSQL DB". Yesterday I therefore started installing quite a few virtual machines in order to pull the error messages of from a number of different PostgreSQL DB versions. Half way through it, HD Moore announced this on Twitter: http://blog.metasploit.com/2010/02/postgres-fingerprinting.html Well, what are the odds? Anyway, I've looked at the code and that plugin is basing it's matching on the error message returned by an incorrect login. I suppose this is possible now with the new library, and could benefit from the fingerprinting already done, but it's more intrusive and requires a version script (as more than one packet is sent) rather than the the use of the existing SMBProgNeg probe. I've collected fingerprints from the following versions and so far they've all returned a different line number for the same error message: - PostgreSQL 8.0.21 - FreeBSD - PostgreSQL 8.1.17 - FreeBSD - PostgreSQL 8.2.13 - FreeBSD - PostgreSQL 8.3.7 - FreeBSD - PostgreSQL 8.4.0 - FreeBSD - PostgreSQL 8.4.2 - Linux - PostgreSQL 8.4.2 - Windows The attached patch adds those fingerprints and kills the generic wide match that prevents this detailed matching from being done. The matches currently match the whole server response rather than the file name and line number, but the error packet is static enough I believe. Have a look under ErrorResponse here for more details: http://developer.postgresql.org/pgdocs/postgres/protocol-message-formats.html //Patrik -- Patrik Karlsson http://www.cqure.net
Attachment:
pgsql.lua
Description:
Attachment:
postgresql-matches.patch
Description:
Attachment:
pgsql-brute.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 06)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 17)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 20)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 24)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Mar 04)
- Re: pgsql-brute David Fifield (Mar 04)
- Re: pgsql-brute Patrik Karlsson (Mar 04)
- Re: pgsql-brute David Fifield (Mar 04)
- Re: pgsql-brute Patrik Karlsson (Mar 04)
- Re: pgsql-brute and PostgreSQL match lines Patrik Karlsson (Feb 20)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (Feb 17)