Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

First Stab at NSE scripting

From: Mark Baggett <mark.baggett () morris com>
Date: Sat, 28 Jun 2008 16:58:11 -0400
Here is my first attempt at putting together a nse script.  I'm  sure there
is a more elegant way to handle the strings and a way to multi-thread the
network request to speed it up.   But hey, I threw it together in 3 hours
without any LUA coding experience so cut me a little slack.

The following nse script will look for /~root on the server to see if the
USERDIR Directive is enabled.  If it finds a /~root directory it will brute
force the users based upon variable CHARSET and MAXLENGTH.

Your feedback is appreciated.

More info here:
http://markremark.blogspot.com/2008/06/first-stab-at-nse-scripting.html
http://markremark.blogspot.com/

Script:

require('shortport')
require('strbuf')
require('listop')
require('http')

id = "HTTPApacheUsers.txt"
author = "Mark Baggett <mbaggett () morris com>"
description = "Brute force usernames on Apache"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {"intrusive", "discovery"}
runlevel = 1.0

portrule = shortport.port_or_service({80,443}, {"http","https"})


--charset = 
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.,-_"
charset = "abcdefghijklmnopqrstuvwxyz"
username = ''
maxlength = 3

local function replacechar( instring, pos, newchar)
        if pos == 1 then
                -- replace first character
                instring = newchar .. string.sub(instring,2)
        else
                -- replace mid or end character
                instring = string.sub(instring,1, pos-1) .. newchar ..
string.sub(instring,pos+1)
        end
        return instring
end

local function IncUser(position)
        local userchar = string.sub(username, position, position)
        if userchar == '' then
                --the current character is Null add the first char from
charset to the end
                username = string.sub(username, 1 ,position) ..
string.sub(charset,1,1)
        elseif userchar == string.sub(charset,-1) then
                --Last char, Reset current char and Increment the next char
                username = replacechar(username, position,
string.sub(charset,1,1))
                IncUser(position+1)
        else
                -- Just increment the current character
                curchar = string.find(charset, userchar)
                username = replacechar(username, position,
string.sub(charset,curchar + 1,curchar+1))
        end
        return username
end

action = function(host, port)
        local output = "No Root User Found"
        local answer = http.get( host, port, "/~root")
--      print(answer.body)
        if answer.status == 403 then
          --  print("Root User Found. \r\n")
            output = "Root user found.  "
            while string.len(username) <= maxlength do
                IncUser(1)
                tryme= "/~" .. username
                local answer = http.get( host, port, tryme)
--              print(answer.status)
                if answer.status == 403 then
                        output = output .. " User found " .. username .. "."
--              print(output)
                end
            end
        end
        return output
End


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: