Difference between revisions of "Brute-Force with NMAP"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
(JPDoe moved page Brute-Force with NMAP to Delete 1: No rights to delete)
Tag: New redirect
 
(Removed redirect to Delete 1)
Tag: Removed redirect
Line 1: Line 1:
#REDIRECT [[Delete 1]]
== Summary ==
 
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap can be also used for simple online attacks, by using the '''-script''' parameter with the desired script like '''telnet-brute.nse''' while passing the corresponding values for '''userdb''' and '''passdb''' with the additional '''-script-args''' parameter.
 
== Requirements ==
 
=== macOS ===
 
  # Homebrew: The missing packet manager for macOS (or Linux)
  /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
 
  # nmap
  brew install nmap
 
----
 
=== Linux ===
  # CentOS
  yum install nmap
 
  # Debian
  apt-get install nmap
 
  # Ubuntu
  sudo apt install nmap
 
== Description ==
 
The Nmap Scripting Engine (NSE) allows users to write and share simple scripts using the Lua programming language to automate a variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency expected from Nmap. NSE can even be used for vulnerability exploitation. Currently defined [https://nmap.org/book/nse-usage.html#nse-categories categories] are '''auth''', '''broadcast''', '''default.discovery''', '''dos''', '''exploit''', '''external''', '''fuzzer''', '''intrusive''', '''malware''', '''safe''', '''version''', and '''vuln'''. 
 
List all available nmap brute-force scripts online (''70 Results: 28. November 2019''):
  curl https://svn.nmap.org/nmap/scripts/ 2>/dev/null | grep brute |  cut -d '"' -f2 | sort
 
  afp-brute.nse                  irc-brute.nse                pgsql-brute.nse
  ajp-brute.nse                  irc-sasl-brute.nse            pop3-brute.nse
  backorifice-brute.nse          iscsi-brute.nse              redis-brute.nse
  cassandra-brute.nse            ldap-brute.nse                rexec-brute.nse
  cics-user-brute.nse            membase-brute.nse            rlogin-brute.nse
  citrix-brute-xml.nse            metasploit-msgrpc-brute.nse  rpcap-brute.nse
  cvs-brute-repository.nse        metasploit-xmlrpc-brute.nse  rsync-brute.nse
  cvs-brute.nse                  mikrotik-routeros-brute.nse  rtsp-url-brute.nse
  deluge-rpc-brute.nse            mmouse-brute.nse              sip-brute.nse
  dicom-brute.nse                mongodb-brute.nse            smb-brute.nse
  dns-brute.nse                  ms-sql-brute.nse              smtp-brute.nse
  domcon-brute.nse                mysql-brute.nse              snmp-brute.nse
  dpap-brute.nse                  nessus-brute.nse              socks-brute.nse
  drda-brute.nse                  nessus-xmlrpc-brute.nse      ssh-brute.nse
  ftp-brute.nse                  netbus-brute.nse              svn-brute.nse
  http-brute.nse                  nexpose-brute.nse            telnet-brute.nse
  http-form-brute.nse            nje-node-brute.nse            tso-brute.nse
  http-iis-short-name-brute.nse  nje-pass-brute.nse            vmauthd-brute.nse
  http-joomla-brute.nse          nping-brute.nse              vnc-brute.nse
  http-proxy-brute.nse            omp2-brute.nse                xmpp-brute.nse
  http-wordpress-brute.nse        openvas-otp-brute.nse       
  iax2-brute.nse                  oracle-brute-stealth.nse     
  imap-brute.nse                  oracle-brute.nse             
  informix-brute.nse              oracle-sid-brute.nse         
  ipmi-brute.nse.                pcanywhere-brute.nse   
 
Download SSH-brute script:
  wget https://svn.nmap.org/nmap/scripts/ssh-brute.nse
 
Example usage and results (.nse can be omitted for scripts on execution and the standard nmap -T flag is used to set aggressiveness):
 
  nmap -p '''$PORT''' -A --script '''$SCRIPT''' --script-args userdb='''$USER_LIST''',passdb='''$PASS_LIST''' '''$TARGET'''
     
      -- @output
      -- 22/ssh open  ssh
      -- | ssh-brute:
      -- |  Accounts
      -- |    username:password
      -- |  Statistics
      -- |_  Performed 32 guesses in 25 seconds.
      --
      -- @args ssh-brute.timeout    Connection timeout (default: "5s")
 
== Additional Information ==
=== macOS ===
Default user and password lists:
  /usr/local/Cellar/nmap/'''$NMAP_VERSION'''/share/nmap/nselib/data/user.lst
  /usr/local/Cellar/nmap/'''$NMAP_VERSION'''/share/nmap/nselib/data/pass.lst
 
View available scripts:
  ls -al /usr/local/Cellar/nmap/'''$NMAP_VERSION'''/share/nmap/scripts/
 
----
 
=== Linux ===
Default nmap home:
  /usr/share/nmap/
 
Find all available namp scripts if any:
  find / -name *.nse 2>/dev/null
 
Find default nmap files if any:
  find / -type f \( -name "ssh-brute.nse" -o -name "pass.lst" -o -name "user.lst" \) 2>/dev/null
 
== Used Hardware ==
 
[[MacBook Pro (15-inch, 2017), macOS 10.14, 2,8GHz Intel Core i7, 16GB LPDDR3]]
 
== References ==
 
* https://brew.sh
* https://www.lua.org/
* https://nmap.org/nsedoc/scripts/
* https://nmap.org/nsedoc/scripts/ssh-brute.html
* https://nmap.org/nsedoc/lib/unpwdb.html#script-args
* https://nmap.org/book/nse-usage.html#nse-categories
* https://nmap.org/book/man-nse.html
* https://svn.nmap.org/nmap/scripts/
 
[[Category:Documentation]]

Revision as of 12:03, 6 February 2020

Summary

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap can be also used for simple online attacks, by using the -script parameter with the desired script like telnet-brute.nse while passing the corresponding values for userdb and passdb with the additional -script-args parameter.

Requirements

macOS

  # Homebrew: The missing packet manager for macOS (or Linux)
  /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

  # nmap
  brew install nmap

Linux

  # CentOS
  yum install nmap

  # Debian
  apt-get install nmap

  # Ubuntu
  sudo apt install nmap

Description

The Nmap Scripting Engine (NSE) allows users to write and share simple scripts using the Lua programming language to automate a variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency expected from Nmap. NSE can even be used for vulnerability exploitation. Currently defined categories are auth, broadcast, default.discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.

List all available nmap brute-force scripts online (70 Results: 28. November 2019): 

  curl https://svn.nmap.org/nmap/scripts/ 2>/dev/null | grep brute |  cut -d '"' -f2 | sort

  afp-brute.nse                   irc-brute.nse                 pgsql-brute.nse
  ajp-brute.nse                   irc-sasl-brute.nse            pop3-brute.nse
  backorifice-brute.nse           iscsi-brute.nse               redis-brute.nse
  cassandra-brute.nse             ldap-brute.nse                rexec-brute.nse
  cics-user-brute.nse             membase-brute.nse             rlogin-brute.nse
  citrix-brute-xml.nse            metasploit-msgrpc-brute.nse   rpcap-brute.nse
  cvs-brute-repository.nse        metasploit-xmlrpc-brute.nse   rsync-brute.nse
  cvs-brute.nse                   mikrotik-routeros-brute.nse   rtsp-url-brute.nse
  deluge-rpc-brute.nse            mmouse-brute.nse              sip-brute.nse
  dicom-brute.nse                 mongodb-brute.nse             smb-brute.nse
  dns-brute.nse                   ms-sql-brute.nse              smtp-brute.nse
  domcon-brute.nse                mysql-brute.nse               snmp-brute.nse
  dpap-brute.nse                  nessus-brute.nse              socks-brute.nse
  drda-brute.nse                  nessus-xmlrpc-brute.nse       ssh-brute.nse
  ftp-brute.nse                   netbus-brute.nse              svn-brute.nse
  http-brute.nse                  nexpose-brute.nse             telnet-brute.nse
  http-form-brute.nse             nje-node-brute.nse            tso-brute.nse
  http-iis-short-name-brute.nse   nje-pass-brute.nse            vmauthd-brute.nse
  http-joomla-brute.nse           nping-brute.nse               vnc-brute.nse
  http-proxy-brute.nse            omp2-brute.nse                xmpp-brute.nse
  http-wordpress-brute.nse        openvas-otp-brute.nse         
  iax2-brute.nse                  oracle-brute-stealth.nse      
  imap-brute.nse                  oracle-brute.nse              
  informix-brute.nse              oracle-sid-brute.nse          
  ipmi-brute.nse.                 pcanywhere-brute.nse

Download SSH-brute script: 

  wget https://svn.nmap.org/nmap/scripts/ssh-brute.nse

Example usage and results (.nse can be omitted for scripts on execution and the standard nmap -T flag is used to set aggressiveness): 

  nmap -p $PORT -A --script $SCRIPT --script-args userdb=$USER_LIST,passdb=$PASS_LIST $TARGET
     
     -- @output
     -- 22/ssh open  ssh
     -- | ssh-brute:
     -- |  Accounts
     -- |    username:password
     -- |  Statistics
     -- |_   Performed 32 guesses in 25 seconds.
     --
     -- @args ssh-brute.timeout    Connection timeout (default: "5s")

Additional Information

macOS

Default user and password lists: 

  /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/user.lst
  /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/pass.lst

View available scripts: 

  ls -al /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/scripts/

Linux

Default nmap home: 

  /usr/share/nmap/

Find all available namp scripts if any: 

  find / -name *.nse 2>/dev/null

Find default nmap files if any: 

  find / -type f \( -name "ssh-brute.nse" -o -name "pass.lst" -o -name "user.lst" \) 2>/dev/null

Used Hardware

MacBook Pro (15-inch, 2017), macOS 10.14, 2,8GHz Intel Core i7, 16GB LPDDR3

References

Retrieved from "https://wiki.elvis.science/index.php?title=Brute-Force_with_NMAP&oldid=2900"