Brute-Force with NMAP

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap can be also used for simple online attacks, by using the -script parameter with the desired script like telnet-brute.nse while passing the corresponding values for userdb and passdb with the additional -script-args parameter.

Requirements

macOS

  # Homebrew: The missing packet manager for macOS (or Linux)
  /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
  # nmap
  brew install nmap

Linux

  # CentOS
  yum install nmap
  # Debian
  apt-get install nmap
  # Ubuntu
  sudo apt install nmap

Description

The Nmap Scripting Engine (NSE) allows users to write and share simple scripts using the Lua programming language to automate a variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency expected from Nmap. NSE can even be used for vulnerability exploitation. Currently defined categories are auth, broadcast, default.discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.

List all available nmap brute-force scripts online (70 Results: 28. November 2019):

  curl https://svn.nmap.org/nmap/scripts/ 2>/dev/null | grep brute |  cut -d '"' -f2 | sort
  afp-brute.nse                   irc-brute.nse                 pgsql-brute.nse
  ajp-brute.nse                   irc-sasl-brute.nse            pop3-brute.nse
  backorifice-brute.nse           iscsi-brute.nse               redis-brute.nse
  cassandra-brute.nse             ldap-brute.nse                rexec-brute.nse
  cics-user-brute.nse             membase-brute.nse             rlogin-brute.nse
  citrix-brute-xml.nse            metasploit-msgrpc-brute.nse   rpcap-brute.nse
  cvs-brute-repository.nse        metasploit-xmlrpc-brute.nse   rsync-brute.nse
  cvs-brute.nse                   mikrotik-routeros-brute.nse   rtsp-url-brute.nse
  deluge-rpc-brute.nse            mmouse-brute.nse              sip-brute.nse
  dicom-brute.nse                 mongodb-brute.nse             smb-brute.nse
  dns-brute.nse                   ms-sql-brute.nse              smtp-brute.nse
  domcon-brute.nse                mysql-brute.nse               snmp-brute.nse
  dpap-brute.nse                  nessus-brute.nse              socks-brute.nse
  drda-brute.nse                  nessus-xmlrpc-brute.nse       ssh-brute.nse
  ftp-brute.nse                   netbus-brute.nse              svn-brute.nse
  http-brute.nse                  nexpose-brute.nse             telnet-brute.nse
  http-form-brute.nse             nje-node-brute.nse            tso-brute.nse
  http-iis-short-name-brute.nse   nje-pass-brute.nse            vmauthd-brute.nse
  http-joomla-brute.nse           nping-brute.nse               vnc-brute.nse
  http-proxy-brute.nse            omp2-brute.nse                xmpp-brute.nse
  http-wordpress-brute.nse        openvas-otp-brute.nse         
  iax2-brute.nse                  oracle-brute-stealth.nse      
  imap-brute.nse                  oracle-brute.nse              
  informix-brute.nse              oracle-sid-brute.nse          
  ipmi-brute.nse.                 pcanywhere-brute.nse    

Download SSH-brute script:

  wget https://svn.nmap.org/nmap/scripts/ssh-brute.nse

Example usage and results (.nse can be omitted for scripts on execution and the standard nmap -T flag is used to set aggressiveness):

  nmap -p $PORT -A --script $SCRIPT --script-args userdb=$USER_LIST,passdb=$PASS_LIST $TARGET
     
     -- @output
     -- 22/ssh open  ssh
     -- | ssh-brute:
     -- |  Accounts
     -- |    username:password
     -- |  Statistics
     -- |_   Performed 32 guesses in 25 seconds.
     --
     -- @args ssh-brute.timeout    Connection timeout (default: "5s")

Additional Information

macOS

Default user and password lists:

  /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/user.lst
  /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/pass.lst

View available scripts:

  ls -al /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/scripts/

Linux

Default nmap home:

  /usr/share/nmap/

Find all available namp scripts if any:

  find / -name *.nse 2>/dev/null

Find default nmap files if any:

  find / -type f \( -name "ssh-brute.nse" -o -name "pass.lst" -o -name "user.lst" \) 2>/dev/null

Used Hardware

MacBook Pro (15-inch, 2017), macOS 10.14, 2,8GHz Intel Core i7, 16GB LPDDR3

References