| Server IP : 80.87.202.40 / Your IP : 216.73.216.169 Web Server : Apache System : Linux rospirotorg.ru 5.14.0-539.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 5 22:26:13 UTC 2024 x86_64 User : bitrix ( 600) PHP Version : 8.2.27 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /usr/share/nmap/scripts/ |
Upload File : |
local brute = require "brute"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local http = require "http"
local creds = require "creds"
description = [[
Performs brute force username and password auditing against
Metasploit msgrpc interface.
]]
---
-- @usage
-- nmap --script metasploit-msgrpc-brute -p 55553 <host>
--
-- This script uses brute library to perform password
-- guessing against Metasploit's msgrpc interface.
--
--
-- @output
-- PORT STATE SERVICE REASON
-- 55553/tcp open unknown syn-ack
-- | metasploit-msgrpc-brute:
-- | Accounts
-- | root:root - Valid credentials
-- | Statistics
-- |_ Performed 10 guesses in 10 seconds, average tps: 1
author = "Aleksandar Nikolic"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}
portrule = shortport.port_or_service(55553,"metasploit-msgrpc")
-- returns a "prefix" that msgpack uses for strings
local get_prefix = function(data)
if #data <= 31 then
return string.pack("B", 0xa0 + #data)
else
return "\xda" .. string.pack(">I2", #data)
end
end
-- simple function that implements basic msgpack encoding we need for this script
-- see http://wiki.msgpack.org/display/MSGPACK/Format+specification for more
local encode = function(username, password)
return "\x93\xaaauth.login" .. get_prefix(username) .. username .. get_prefix(password) .. password
end
Driver = {
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
return o
end,
-- as we are using http methods, no need for connect and disconnect
-- this might cause a problem as in other scripts that don't have explicit connect
-- as there is no way to "reserve" a socket
connect = function( self )
return true
end,
login = function (self, user, pass)
local data
local options = {
header = {
["Content-Type"] = "binary/message-pack"
}
}
stdnse.debug1( "Trying %s/%s ...", user, pass )
data = http.post(self.host,self.port, "/api/",options, nil , encode(user,pass))
if data and data.status and tostring( data.status ):match( "200" ) then
if string.find(data.body,"success") then
return true, creds.Account:new( user, pass, creds.State.VALID)
else
return false, brute.Error:new( "Incorrect username or password" )
end
end
local err = brute.Error:new("Login didn't return a proper response")
err:setRetry( true )
return false, err
end,
disconnect = function( self )
return true
end
}
action = function( host, port )
local status, result
local engine = brute.Engine:new(Driver, host, port)
engine.options.script_name = SCRIPT_NAME
engine.options.firstonly = true
engine.max_threads = 3
engine.max_retries = 10
status, result = engine:start()
return result
end