Brute-Force with NMAP
Summary
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap can be also used for simple online attacks, by using the -script parameter with the desired script like telnet-brute.nse while passing the corresponding values for userdb and passdb with the additional -script-args parameter.
Requirements
macOS
# Homebrew: The missing packet manager for macOS (or Linux) /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
# nmap brew install nmap
Linux
# CentOS yum install nmap
# Debian apt-get install nmap
# Ubuntu sudo apt install nmap
Description
The Nmap Scripting Engine (NSE) allows users to write and share simple scripts using the Lua programming language to automate a variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency expected from Nmap. NSE can even be used for vulnerability exploitation. Currently defined categories are auth, broadcast, default.discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
List all available nmap brute-force scripts online (70 Results: 28. November 2019):
curl https://svn.nmap.org/nmap/scripts/ 2>/dev/null | grep brute | cut -d '"' -f2 | sort
afp-brute.nse irc-brute.nse pgsql-brute.nse ajp-brute.nse irc-sasl-brute.nse pop3-brute.nse backorifice-brute.nse iscsi-brute.nse redis-brute.nse cassandra-brute.nse ldap-brute.nse rexec-brute.nse cics-user-brute.nse membase-brute.nse rlogin-brute.nse citrix-brute-xml.nse metasploit-msgrpc-brute.nse rpcap-brute.nse cvs-brute-repository.nse metasploit-xmlrpc-brute.nse rsync-brute.nse cvs-brute.nse mikrotik-routeros-brute.nse rtsp-url-brute.nse deluge-rpc-brute.nse mmouse-brute.nse sip-brute.nse dicom-brute.nse mongodb-brute.nse smb-brute.nse dns-brute.nse ms-sql-brute.nse smtp-brute.nse domcon-brute.nse mysql-brute.nse snmp-brute.nse dpap-brute.nse nessus-brute.nse socks-brute.nse drda-brute.nse nessus-xmlrpc-brute.nse ssh-brute.nse ftp-brute.nse netbus-brute.nse svn-brute.nse http-brute.nse nexpose-brute.nse telnet-brute.nse http-form-brute.nse nje-node-brute.nse tso-brute.nse http-iis-short-name-brute.nse nje-pass-brute.nse vmauthd-brute.nse http-joomla-brute.nse nping-brute.nse vnc-brute.nse http-proxy-brute.nse omp2-brute.nse xmpp-brute.nse http-wordpress-brute.nse openvas-otp-brute.nse iax2-brute.nse oracle-brute-stealth.nse imap-brute.nse oracle-brute.nse informix-brute.nse oracle-sid-brute.nse ipmi-brute.nse. pcanywhere-brute.nse
Download SSH-brute script:
wget https://svn.nmap.org/nmap/scripts/ssh-brute.nse
Example usage and results (.nse can be omitted for scripts on execution and the standard nmap -T flag is used to set aggressiveness):
nmap -p $PORT -A --script $SCRIPT --script-args userdb=$USER_LIST,passdb=$PASS_LIST $TARGET -- @output -- 22/ssh open ssh -- | ssh-brute: -- | Accounts -- | username:password -- | Statistics -- |_ Performed 32 guesses in 25 seconds. -- -- @args ssh-brute.timeout Connection timeout (default: "5s")
Additional Information
macOS
Default user and password lists:
/usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/user.lst /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/pass.lst
View available scripts:
ls -al /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/scripts/
Linux
Default nmap home:
/usr/share/nmap/
Find all available namp scripts if any:
find / -name *.nse 2>/dev/null
Find default nmap files if any:
find / -type f \( -name "ssh-brute.nse" -o -name "pass.lst" -o -name "user.lst" \) 2>/dev/null
Used Hardware
MacBook Pro (15-inch, 2017), macOS 10.14, 2,8GHz Intel Core i7, 16GB LPDDR3