Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: writing brute scripts for UDP based protocols

From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 04 Apr 2011 00:43:34 +0200
Den 2011-03-22 13.15 skrev Toni Ruottu <toni.ruottu () iki fi>:



 hey,

Do we have an example of a brute script against a UDP based protocol?
I think the brute library is useless here. If the service reports
errors we can send auth packages, and check we get an error response
for each one we send. If the service only responds to packages with
correct credentials this becomes a lot harder, as we'll never know how
much traffic we can send and how many times we should retry given
credentials. Should we create a separate udpbrute library, or try to
squeeze this into the existing one?

 --Toni
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Hi Toni,

The word useless inspired me to write the first UDP based brute script. I
first tried to re-write the SNMP brute script but it didn't turn out that
great. While the brute library can be used it ends up being very slow. The
reason for this is that the guessing engine needs to wait for a timeout in
each cycle. A way around this is to run a huge amount of parallel
coroutines (brute.threads), which will get a reasonable speed. As sockets
are unconnected this seems to work reasonably well, although I didn't
pursue this further.

I also tried the same approach used by the current SNMP brute script, ie.
sending all the requests first, and then wait for the response to come
back. Unfortunately this didn't work great when the list of community
names became larger. Running tcpdump on the server showed the request
coming in, but every now and then there was no response coming back, even
though the correct community string was supplied. This obviously wasn't
reliable enough.

After a while, I moved on to another protocol, SIP. While it took some
time to implement what I needed I think the results turned out reasonably
well. So, in my opinion, I believe this is more of an application protocol
issue rather than the issue of UDP services in general.

I'm attaching the SIP library (sip.lua), the brute script (sip-brute.nse)
and a script that allows for user enumeration (sip-enum-users.nse).

Cheers,
Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

Attachment: sip.lua
Description:

Attachment: sip-enum-users.nse
Description:

Attachment: sip-brute.nse
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: