Nmap Development mailing list archives
Re: pop3-brute.nse (I think)
From: David Fifield <david () bamsoftware com>
Date: Thu, 15 Apr 2010 20:35:57 -0600
On Thu, Apr 08, 2010 at 09:21:20PM +0000, Brandon Enright wrote:
On Thu, 08 Apr 2010 16:14:24 -0500 Daniel Miller <bonsaiviking () gmail com> wrote:Not really a problem, but an optimization, I think. While trying out --script '*', I noticed that my test target was responding that the method of authentication being used on port 995 was unacceptable. This is on Ubuntu 9.10, running Dovecot. Here's the conversation according to Wireshark: S: +OK Dovecot ready. C: USER root S: -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections. This goes on and on. Might be best to just give up if getting this error, but I don't know how general that solution would be. DanI have some code that uses the output of the pop3-capabilities script to figure out if SSL is required or not. I suppose that logic could be adapted to pop3-brute and pop3-capabilities be made a dependency for brute. The logic is roughly: If the service isn't already wrapped in SSL, if it doesn't present STLS as a capability then you aren't secure. If it does present STLS but also presents either "USER" or "SASL(PLAIN)" or "SASL(LOGIN)" it doesn't require SSL but supports it. If it present STLS but no login ability then it requires SSL. The perl code is: # "pop3-capabilities" if ($ps_script eq 'pop3-capabilities') { # Make sure the service isn't SSL if ($ps_service !~ m/^ssl\//) { # Supports SSL/STARTTLS? if ($ps_data =~ m/STLS/) { if (($ps_data =~ m/USER/) || ($ps_data =~ m/SASL\( [^\)]*(?:PLAIN|LOGIN) [^\)]*\)/x)) { push @warning, {('name'=>'POP3WEAKAUTH', 'severity'=>5, 'text'=>'POP3 server on ' . $ps_port . ' supports ' . 'plaintext authentication ' . 'without enforcing SSL')}; } } else { if (($ps_data =~ m/USER/) || ($ps_data =~ m/SASL\( [^\)]*(?:PLAIN|LOGIN) [^\)]*\)/x)) { push @warning, {('name'=>'POP3WEAKAUTHNOSSL', 'severity'=>7, 'text'=>'POP3 server on ' . $ps_port . ' supports ' . 'plaintext authentication ' . 'but not SSL')}; } } }
That's useful. Something like this would be the ideal solution. We also need changes in pop3.lua so that it can deal better with with unexpected errors. The pop3.login_* functions can only express "login failed" to the caller, but not "login failed and stop trying the method because it will never work." Then pop3-brute won't keep trying if it happens to use the wrong method. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- pop3-brute.nse (I think) Daniel Miller (Apr 08)
- Re: pop3-brute.nse (I think) Ron (Apr 08)
- Re: pop3-brute.nse (I think) Brandon Enright (Apr 08)
- Re: pop3-brute.nse (I think) David Fifield (Apr 15)