Brute-Force with NMAP
Summary
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap can be also used for simple online attacks, by using the -script parameter with the desired script like telnet-brute.nse while passing the corresponding values for userdb and passdb with the additional -script-args parameter.
$ nmap -p $PORT -A --script $SCRIPT --script-args userdb=$USER_LIST,passdb=$PASS_LIST $TARGET
Requirements
NMAP
Operating System | Command |
---|---|
Debian | apt-get install nmap |
Ubuntu | sudo apt install nmap |
CentOS | yum install nmap |
macOS | brew install nmap |
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Description
The Nmap Scripting Engine (NSE) allows users to write and share simple scripts using the Lua programming language to automate a variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency expected from Nmap. NSE can even be used for vulnerability exploitation. Currently defined categories are auth, broadcast, default.discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
$ curl https://svn.nmap.org/nmap/scripts/ 2>/dev/null | grep brute | cut -d '"' -f2 | sort afp-brute.nse irc-brute.nse pgsql-brute.nse ajp-brute.nse irc-sasl-brute.nse pop3-brute.nse backorifice-brute.nse iscsi-brute.nse redis-brute.nse cassandra-brute.nse ldap-brute.nse rexec-brute.nse cics-user-brute.nse membase-brute.nse rlogin-brute.nse citrix-brute-xml.nse metasploit-msgrpc-brute.nse rpcap-brute.nse cvs-brute-repository.nse metasploit-xmlrpc-brute.nse rsync-brute.nse cvs-brute.nse mikrotik-routeros-brute.nse rtsp-url-brute.nse deluge-rpc-brute.nse mmouse-brute.nse sip-brute.nse dicom-brute.nse mongodb-brute.nse smb-brute.nse dns-brute.nse ms-sql-brute.nse smtp-brute.nse domcon-brute.nse mysql-brute.nse snmp-brute.nse dpap-brute.nse nessus-brute.nse socks-brute.nse drda-brute.nse nessus-xmlrpc-brute.nse ssh-brute.nse ftp-brute.nse netbus-brute.nse svn-brute.nse http-brute.nse nexpose-brute.nse telnet-brute.nse http-form-brute.nse nje-node-brute.nse tso-brute.nse http-iis-short-name-brute.nse nje-pass-brute.nse vmauthd-brute.nse http-joomla-brute.nse nping-brute.nse vnc-brute.nse http-proxy-brute.nse omp2-brute.nse xmpp-brute.nse http-wordpress-brute.nse openvas-otp-brute.nse iax2-brute.nse oracle-brute-stealth.nse imap-brute.nse oracle-brute.nse informix-brute.nse oracle-sid-brute.nse ipmi-brute.nse pcanywhere-brute.nse
Example
Usage and results of the NMAP SSH-brute script.
# Download SSH-brute script $ wget https://svn.nmap.org/nmap/scripts/ssh-brute.nse # Commandline $ nmap -p $PORT -A --script $SCRIPT --script-args userdb=$USER_LIST,passdb=$PASS_LIST $TARGET -- @output -- 22/ssh open ssh -- | ssh-brute: -- | Accounts -- | username:password -- | Statistics -- |_ Performed 32 guesses in 25 seconds. -- -- @args ssh-brute.timeout Connection timeout (default: "5s")
Additional Information
Linux
Description | Command |
---|---|
Default home | /usr/share/nmap/ |
Available scripts (if any) | find / -name *.nse 2>/dev/null |
Default files (if any) | find / -type f \( -name "ssh-brute.nse" -o -name "pass.lst" -o -name "user.lst" \) 2>/dev/null |
macOS
Description | Command |
---|---|
Default user/password lists | /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/user.lst /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/pass.lst |
Available scripts (if any) | ls -al /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/scripts/ |
Used Hardware
MacBook Pro (15-inch, 2017), macOS 10.14, 2,8GHz Intel Core i7, 16GB LPDDR3