Re: pop3-brute.nse (I think)

[David Fifield <david () bamsoftware com>]

On Thu, Apr 08, 2010 at 09:21:20PM +0000, Brandon Enright wrote:
> On Thu, 08 Apr 2010 16:14:24 -0500
> Daniel Miller <bonsaiviking () gmail com> wrote:
>
> > Not really a problem, but an optimization, I think. While trying out 
> > --script '*', I noticed that my test target was responding that the 
> > method of authentication being used on port 995 was unacceptable.
> > This is on Ubuntu 9.10, running Dovecot. Here's the conversation
> > according to Wireshark:
> >
> > S: +OK Dovecot ready.
> > C: USER root
> > S: -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) 
> > connections.
> >
> > This goes on and on. Might be best to just give up if getting this 
> > error, but I don't know how general that solution would be.
> >
> > Dan
>
> I have some code that uses the output of the pop3-capabilities script
> to figure out if SSL is required or not.  I suppose that logic could be
> adapted to pop3-brute and pop3-capabilities be made a dependency for
> brute.
>
> The logic is roughly:
>
> If the service isn't already wrapped in SSL, if it doesn't present STLS
> as a capability then you aren't secure.  If it does present STLS but
> also presents either "USER" or "SASL(PLAIN)" or "SASL(LOGIN)" it
> doesn't require SSL but supports it.  If it present STLS but no login
> ability then it requires SSL.
>
> The perl code is:
>
>             # "pop3-capabilities"
>             if ($ps_script eq 'pop3-capabilities') {
>
>                 # Make sure the service isn't SSL
>                 if ($ps_service !~ m/^ssl\//) {
>                     # Supports SSL/STARTTLS?
>                     if ($ps_data =~ m/STLS/) {
>                         if (($ps_data =~ m/USER/) ||
>                             ($ps_data =~ m/SASL\(
>                                            [^\)]*(?:PLAIN|LOGIN)
>                                            [^\)]*\)/x)) {
>                             push @warning, {('name'=>'POP3WEAKAUTH',
>                                              'severity'=>5,
>                                              'text'=>'POP3 server on '
>                                              . $ps_port . ' supports '
>                                              . 'plaintext authentication '
>                                              . 'without enforcing SSL')};
>                         }
>                     }
>                     else {
>                         if (($ps_data =~ m/USER/) ||
>                             ($ps_data =~ m/SASL\(
>                                            [^\)]*(?:PLAIN|LOGIN)
>                                            [^\)]*\)/x)) {
>                             push @warning, {('name'=>'POP3WEAKAUTHNOSSL',
>                                              'severity'=>7,
>                                              'text'=>'POP3 server on '
>                                              . $ps_port . ' supports '
>                                              . 'plaintext authentication '
>                                              . 'but not SSL')};
>                         }
>                     }
>                 }

That's useful. Something like this would be the ideal solution. We also
need changes in pop3.lua so that it can deal better with with unexpected
errors. The pop3.login_* functions can only express "login failed" to
the caller, but not "login failed and stop trying the method because it
will never work." Then pop3-brute won't keep trying if it happens to use
the wrong method.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/