Nmap Development mailing list archives
[NSE] Revision of telnet-brute
From: nnposter () users sourceforge net
Date: Thu, 18 Apr 2013 18:40:25 +0000
In the past I did not have a lot of success with telnet-brute.nse so I have tried to rewrite it while preserving the outer appearance. Changes: - Replaced hard-coded line termination \r\0 with a configurable parameter (telnet-brute.eol) and set the default value to \r to avoid falsely failed logins on some daemons. The parameter supports use of C-like escape sequences, such as \r, \x0d, and \0015. - Changed response to the telnet server ECHO "will" / "will not" from outright "do not" to an agreement with whatever the server proposes to make the script work with some daemons. - Removed use of receive_lines(), which was causing either time-outs or unnecessary connection tear-downs due to waiting on a line termination. This change improved the script success rate and/or performance (5x in some cases). - Exposed the connection time-out value as a configurable parameter (telnet-brute.timeout). It defaults to 5000ms. - Improved handling of connection errors, which were occassionally causing credential combinations to be skipped. - Updated the logged-in status detection logic to make the script work with some daemons. - Avoided overlapping connections to make the script work with daemons that allow only one connection at a time. - Replaced a locally defined routine with stdnse.string_or_blank() for printing out credentials. Changed printing of tested credentials in the debug output to be consistent with script results. - Script will now report if it senses password-only authentication. - Implemented detailed debug messages (e.g. "Sending password") at debug level 3 (configurable). - Expanded the script documentation. Tested on: - Cisco IOS - Linux telnetd - Digital Sprite 2 - Nortel Contivity - Hummingbird telnetd Questions: - Does anybody see a value in moving the string unescaping function to nselib? Or is a similar function already available and I just did not notice? (I do not count URL encoding.) - Is there an understanding how expensive PCRE is over Lua? The reason I am asking is that the session analysis could be slightly more accurate if it switched to PCRE. - Is there an established pattern for scripts to take into account -T values? I would very much appreciate if the community tested the script against additional target types. If you find the script does not work in your particular environment then please send me the full nmap output with debug level 3 (-ddd). Feel free to edit the output to replace the individual password characters but please do not alter the output otherwise. Any constructive feedback is very welcome. Cheers, nnposter
Attachment:
telnet-brute.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Revision of telnet-brute nnposter (Apr 18)
- Re: [NSE] Revision of telnet-brute Aleksandar Nikolic (Apr 18)
- Re: [NSE] Revision of telnet-brute nnposter (Apr 18)
- Re: [NSE] Revision of telnet-brute nnposter (Apr 18)
- Re: [NSE] Revision of telnet-brute Jesper Kückelhahn (Apr 18)
- Re: [NSE] Revision of telnet-brute nnposter (Apr 18)
- Re: [NSE] Revision of telnet-brute David Fifield (Apr 20)
- Re: [NSE] Revision of telnet-brute nnposter (Apr 20)
- Re: [NSE] Revision of telnet-brute David Fifield (Apr 20)
- Re: [NSE] Revision of telnet-brute nnposter (Apr 21)
- Re: [NSE] Revision of telnet-brute David Fifield (Apr 25)
- Re: [NSE] Revision of telnet-brute nnposter (Apr 20)