Nmap Development mailing list archives
Re: writing brute scripts for UDP based protocols
From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 04 Apr 2011 00:43:34 +0200
Den 2011-03-22 13.15 skrev Toni Ruottu <toni.ruottu () iki fi>:
hey, Do we have an example of a brute script against a UDP based protocol? I think the brute library is useless here. If the service reports errors we can send auth packages, and check we get an error response for each one we send. If the service only responds to packages with correct credentials this becomes a lot harder, as we'll never know how much traffic we can send and how many times we should retry given credentials. Should we create a separate udpbrute library, or try to squeeze this into the existing one? --Toni _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Hi Toni, The word useless inspired me to write the first UDP based brute script. I first tried to re-write the SNMP brute script but it didn't turn out that great. While the brute library can be used it ends up being very slow. The reason for this is that the guessing engine needs to wait for a timeout in each cycle. A way around this is to run a huge amount of parallel coroutines (brute.threads), which will get a reasonable speed. As sockets are unconnected this seems to work reasonably well, although I didn't pursue this further. I also tried the same approach used by the current SNMP brute script, ie. sending all the requests first, and then wait for the response to come back. Unfortunately this didn't work great when the list of community names became larger. Running tcpdump on the server showed the request coming in, but every now and then there was no response coming back, even though the correct community string was supplied. This obviously wasn't reliable enough. After a while, I moved on to another protocol, SIP. While it took some time to implement what I needed I think the results turned out reasonably well. So, in my opinion, I believe this is more of an application protocol issue rather than the issue of UDP services in general. I'm attaching the SIP library (sip.lua), the brute script (sip-brute.nse) and a script that allows for user enumeration (sip-enum-users.nse). Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77
Attachment:
sip.lua
Description:
Attachment:
sip-enum-users.nse
Description:
Attachment:
sip-brute.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: writing brute scripts for UDP based protocols Patrik Karlsson (Apr 03)