Nmap Development mailing list archives
First Stab at NSE scripting
From: Mark Baggett <mark.baggett () morris com>
Date: Sat, 28 Jun 2008 16:58:11 -0400
Here is my first attempt at putting together a nse script. I'm sure there is a more elegant way to handle the strings and a way to multi-thread the network request to speed it up. But hey, I threw it together in 3 hours without any LUA coding experience so cut me a little slack. The following nse script will look for /~root on the server to see if the USERDIR Directive is enabled. If it finds a /~root directory it will brute force the users based upon variable CHARSET and MAXLENGTH. Your feedback is appreciated. More info here: http://markremark.blogspot.com/2008/06/first-stab-at-nse-scripting.html http://markremark.blogspot.com/ Script: require('shortport') require('strbuf') require('listop') require('http') id = "HTTPApacheUsers.txt" author = "Mark Baggett <mbaggett () morris com>" description = "Brute force usernames on Apache" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"intrusive", "discovery"} runlevel = 1.0 portrule = shortport.port_or_service({80,443}, {"http","https"}) --charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.,-_" charset = "abcdefghijklmnopqrstuvwxyz" username = '' maxlength = 3 local function replacechar( instring, pos, newchar) if pos == 1 then -- replace first character instring = newchar .. string.sub(instring,2) else -- replace mid or end character instring = string.sub(instring,1, pos-1) .. newchar .. string.sub(instring,pos+1) end return instring end local function IncUser(position) local userchar = string.sub(username, position, position) if userchar == '' then --the current character is Null add the first char from charset to the end username = string.sub(username, 1 ,position) .. string.sub(charset,1,1) elseif userchar == string.sub(charset,-1) then --Last char, Reset current char and Increment the next char username = replacechar(username, position, string.sub(charset,1,1)) IncUser(position+1) else -- Just increment the current character curchar = string.find(charset, userchar) username = replacechar(username, position, string.sub(charset,curchar + 1,curchar+1)) end return username end action = function(host, port) local output = "No Root User Found" local answer = http.get( host, port, "/~root") -- print(answer.body) if answer.status == 403 then -- print("Root User Found. \r\n") output = "Root user found. " while string.len(username) <= maxlength do IncUser(1) tryme= "/~" .. username local answer = http.get( host, port, tryme) -- print(answer.status) if answer.status == 403 then output = output .. " User found " .. username .. "." -- print(output) end end end return output End _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- First Stab at NSE scripting Mark Baggett (Jun 28)