Nmap Development mailing list archives
Re: [NSE] new scripts and libraries: svn
From: Patrik Karlsson <patrik () cqure net>
Date: Wed, 18 Aug 2010 22:51:33 +0200
On 18 aug 2010, at 19.29, David Fifield wrote:
On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:x svn-brute - performs password guessing against subversionI set up a repository to test this $ svnadmin create /home/david/repos $ svn import docs file:///home/david/repos/docs $ svnserve -d -r /home/david/repos The default svnserve.conf settings are [general] # anon-access = read # auth-access = write # password-db = passwd # authz-db = authz With this settings, the script doesn't find valid credentials (which makes sense) and then quits because of retries.
Well, it shouldn't quit as ugly and according to my testing now the above equals anonymous access. This should be addressed now, the script should report: Scanned at 2010-08-18 22:07:17 CEST for 0s PORT STATE SERVICE REASON 3690/tcp open svn syn-ack | svn-brute: |_ Anonymous SVN detected, no authentication needed Final times for host: srtt: 1211 rttvar: 3494 to: 100000
$ ./nmap --datadir . --script svn-brute -p 3690 192.168.0.2 -Pn -n --script-args svn-brute.repo=docs Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-18 10:46 MDT Warning: File ./nmap-services exists, but Nmap is using /usr/share/nmap/nmap-services for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). Nmap scan report for 192.168.0.2 Host is up (0.00054s latency). PORT STATE SERVICE 3690/tcp open svn | svn-brute: | Accounts | No valid accounts found | Statistics | Perfomed 28240 guesses in 41 seconds, average tps: 695 | |_ ERROR: Too many retries, aborted ... Nmap done: 1 IP address (1 host up) scanned in 41.92 seconds I get the same output after changing to [general] anon-access = write # auth-access = write # password-db = passwd # authz-db = authz
This should report the same result as above.
I suggest that the script should report if anonymous reading or writing is allowed, if that's easy to test.
I don't know, I need to research this a bit more.
I then changed to this: [general] anon-access = read auth-access = write password-db = passwd # authz-db = authz passwd contains [users] root = 123456 Running the same command, I get the same output. "Perfomed 28240 guesses in 44 seconds, average tps: 659. ERROR: Too many retries, aborted ..."
Again, this will report the same results as above as anonymous is supported. However, the script can be forced to run using svn-brute.force
Finally after changing to [general] anon-access = none auth-access = write password-db = passwd # authz-db = authz I get the output $ ./nmap --datadir . --script svn-brute -p 3690 192.168.0.2 -Pn -n --script-args svn-brute.repo=docs,brute.firstonly=1 Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-18 11:19 MDT Nmap scan report for 192.168.0.2 Host is up (0.0033s latency). PORT STATE SERVICE 3690/tcp open svn | svn-brute: | Accounts | root:123456 => Login correct | Statistics |_ Perfomed 30 guesses in 1 seconds, average tps: 30 Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds Why does the anon-access setting affects whether the script works?
This was due to the match for authentication mechanism was made to late.
I am also intrigued by this bit of code: if ( msg:match("Username not found") ) then return false, "Username not found" elseif ( msg:match("success") ) then return true, "Authentication success" else return false, "Authentication failed" end Does the protocol let you eliminate invalid user names without guessing passwords? (I mean, do you get a different response when guessing a nonexistent user name versus guessing the wrong password for an existent user name?) If so, we should take advantage of it.
We do now, it should have been so before as well but contained a bug. However, when running the script it will still appear as if your guessing passwords against all accounts. The reason for this is that the "Guessing ..." debug message is printed by the brute engine and the guess is cancelled by the driver.
Please commit the script and make it report when anonymous access is allowed.
Done, it's commited as r19875. Thanks for the thorough test, I should have done a better initial test, sorry for that. Btw, is there a way to discover the repositories a specific service has by using the svn command? If not, we could write a brute script for that to I guess.
David Fifield
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] new scripts and libraries: vnc, (continued)
- Re: [NSE] new scripts and libraries: vnc David Fifield (Aug 11)
- Re: [NSE] new scripts and libraries: vnc Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: vnc Henri Salo (Aug 14)
- Re: [NSE] new scripts and libraries: vnc Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: vnc Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: vnc David Fifield (Aug 11)
- Re: [NSE] new scripts and libraries: http David Fifield (Aug 12)
- Re: [NSE] new scripts and libraries: http Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: http David Fifield (Sep 06)
- Message not available
- Re: [NSE] new scripts and libraries: http DePriest, Jason R. (Sep 06)
- Re: [NSE] new scripts and libraries: http David Fifield (Sep 06)
- Re: [NSE] new scripts and libraries: http Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
- Re: [NSE] new scripts and libraries: svn David Fifield (Aug 18)
- Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
- Re: [NSE] new scripts and libraries: svn Patrick Donnelly (Aug 19)
- Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: svn David Fifield (Aug 19)
- Re: [NSE] new scripts and libraries: domino, informix, oracle, giop Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: domino, informix, oracle, giop David Fifield (Aug 20)