Brute-Force with NMAP

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap can be also used for simple online attacks, by using the -script parameter with the desired script like telnet-brute.nse while passing the corresponding values for userdb and passdb with the additional -script-args parameter.

$ nmap -p $PORT -A --script $SCRIPT --script-args userdb=$USER_LIST,passdb=$PASS_LIST $TARGET

Requirements

NMAP

Operating SystemCommand
Debianapt-get install nmap
Ubuntusudo apt install nmap
CentOSyum install nmap
macOSbrew install nmap
Homebrew: The missing packet manager for macOS (or Linux)
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Description

The Nmap Scripting Engine (NSE) allows users to write and share simple scripts using the Lua programming language to automate a variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency expected from Nmap. NSE can even be used for vulnerability exploitation. Currently defined categories are auth, broadcast, default.discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.

NMAP: List all available brute-force scripts (70 Results: 28. November 2019):
$ curl https://svn.nmap.org/nmap/scripts/ 2>/dev/null | grep brute |  cut -d '"' -f2 | sort

 afp-brute.nse                   irc-brute.nse                 pgsql-brute.nse
 ajp-brute.nse                   irc-sasl-brute.nse            pop3-brute.nse
 backorifice-brute.nse           iscsi-brute.nse               redis-brute.nse
 cassandra-brute.nse             ldap-brute.nse                rexec-brute.nse
 cics-user-brute.nse             membase-brute.nse             rlogin-brute.nse
 citrix-brute-xml.nse            metasploit-msgrpc-brute.nse   rpcap-brute.nse
 cvs-brute-repository.nse        metasploit-xmlrpc-brute.nse   rsync-brute.nse
 cvs-brute.nse                   mikrotik-routeros-brute.nse   rtsp-url-brute.nse
 deluge-rpc-brute.nse            mmouse-brute.nse              sip-brute.nse
 dicom-brute.nse                 mongodb-brute.nse             smb-brute.nse
 dns-brute.nse                   ms-sql-brute.nse              smtp-brute.nse
 domcon-brute.nse                mysql-brute.nse               snmp-brute.nse
 dpap-brute.nse                  nessus-brute.nse              socks-brute.nse
 drda-brute.nse                  nessus-xmlrpc-brute.nse       ssh-brute.nse
 ftp-brute.nse                   netbus-brute.nse              svn-brute.nse
 http-brute.nse                  nexpose-brute.nse             telnet-brute.nse
 http-form-brute.nse             nje-node-brute.nse            tso-brute.nse
 http-iis-short-name-brute.nse   nje-pass-brute.nse            vmauthd-brute.nse
 http-joomla-brute.nse           nping-brute.nse               vnc-brute.nse
 http-proxy-brute.nse            omp2-brute.nse                xmpp-brute.nse
 http-wordpress-brute.nse        openvas-otp-brute.nse
 iax2-brute.nse                  oracle-brute-stealth.nse
 imap-brute.nse                  oracle-brute.nse
 informix-brute.nse              oracle-sid-brute.nse
 ipmi-brute.nse                  pcanywhere-brute.nse

Example

Usage and results of the NMAP SSH-brute script.

# Download SSH-brute script
$ wget https://svn.nmap.org/nmap/scripts/ssh-brute.nse

# Commandline
$ nmap -p $PORT -A --script $SCRIPT --script-args userdb=$USER_LIST,passdb=$PASS_LIST $TARGET

-- @output
-- 22/ssh open  ssh
-- | ssh-brute:
-- |  Accounts
-- |    username:password
-- |  Statistics
-- |_   Performed 32 guesses in 25 seconds.
--
-- @args ssh-brute.timeout    Connection timeout (default: "5s")
Note: .nse can be omitted for scripts on execution and the standard nmap -T flag is used to set aggressiveness.

Additional Information

Linux

DescriptionCommand
Default home/usr/share/nmap/
Available scripts (if any)find / -name *.nse 2>/dev/null
Default files (if any)find / -type f \( -name "ssh-brute.nse" -o -name "pass.lst" -o -name "user.lst" \) 2>/dev/null

macOS

DescriptionCommand
Default user/password lists/usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/user.lst
/usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/pass.lst
Available scripts (if any)ls -al /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/scripts/

Used Hardware

MacBook Pro (15-inch, 2017), macOS 10.14, 2,8GHz Intel Core i7, 16GB LPDDR3

References