Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pop3-brute.nse (I think)

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 8 Apr 2010 21:21:20 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 08 Apr 2010 16:14:24 -0500
Daniel Miller <bonsaiviking () gmail com> wrote:


Not really a problem, but an optimization, I think. While trying out 
--script '*', I noticed that my test target was responding that the 
method of authentication being used on port 995 was unacceptable.
This is on Ubuntu 9.10, running Dovecot. Here's the conversation
according to Wireshark:

S: +OK Dovecot ready.
C: USER root
S: -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) 
connections.

This goes on and on. Might be best to just give up if getting this 
error, but I don't know how general that solution would be.

Dan


I have some code that uses the output of the pop3-capabilities script
to figure out if SSL is required or not.  I suppose that logic could be
adapted to pop3-brute and pop3-capabilities be made a dependency for
brute.

The logic is roughly:

If the service isn't already wrapped in SSL, if it doesn't present STLS
as a capability then you aren't secure.  If it does present STLS but
also presents either "USER" or "SASL(PLAIN)" or "SASL(LOGIN)" it
doesn't require SSL but supports it.  If it present STLS but no login
ability then it requires SSL.

The perl code is:

            # "pop3-capabilities"                                               
            if ($ps_script eq 'pop3-capabilities') {

                # Make sure the service isn't SSL                               
                if ($ps_service !~ m/^ssl\//) {
                    # Supports SSL/STARTTLS?                                    
                    if ($ps_data =~ m/STLS/) {
                        if (($ps_data =~ m/USER/) ||
                            ($ps_data =~ m/SASL\(                               
                                           [^\)]*(?:PLAIN|LOGIN)                
                                           [^\)]*\)/x)) {
                            push @warning, {('name'=>'POP3WEAKAUTH',
                                             'severity'=>5,
                                             'text'=>'POP3 server on '
                                             . $ps_port . ' supports '
                                             . 'plaintext authentication '
                                             . 'without enforcing SSL')};
                        }
                    }
                    else {
                        if (($ps_data =~ m/USER/) ||
                            ($ps_data =~ m/SASL\(                               
                                           [^\)]*(?:PLAIN|LOGIN)                
                                           [^\)]*\)/x)) {
                            push @warning, {('name'=>'POP3WEAKAUTHNOSSL',
                                             'severity'=>7,
                                             'text'=>'POP3 server on '
                                             . $ps_port . ' supports '
                                             . 'plaintext authentication '
                                             . 'but not SSL')};
                        }
                    }
                }


Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAku+SNYACgkQqaGPzAsl94JX6wCfTWPFUzEkCTKzlhPLK345HDe6
cfkAniEE1xhW/4IQhKa4BJ+QSKqszKxD
=w77u
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: