Discussion:
nmap nse script telnet-brute
bgqueengeek
2017-06-19 23:58:08 UTC
Permalink
Hi all;

Starting a new thread from ncrack telnet. Working now with the telnet brute
nse script. I am using the following syntax on zenmap:

nmap -p 23 -d3 -n -Pn --script telnet-brute --script-args
brute-passonly=true,passdb=testPasswords.txt,brute.threads=1,brute.start=1
<destinationIP>

In the debug output I see Fetchfile being called to locate the usernames.lst
file under nselib\data:
Fetchfile found C:\Program Files (x86)\Nmap/nselib/data/usernames.lst

But I never see it called to grap the testPasswords.txt file located in the
same directory. Shouldn't I see this in the output?

Problem is this is a password-only test, the one password I have in that
file contains the correct password. Every other CLI telnet client I can find
works with this printer, I would think this could also work.

Any ideas most welcome at this point.

Thanks in advance.



--
View this message in context: http://nmap-dev.996309.n3.nabble.com/nmap-nse-script-telnet-brute-tp28753.html
Sent from the Nmap - Dev mailing list archive at Nabble.com.
bgqueengeek
2017-06-20 00:02:46 UTC
Permalink
Ok I had a syntax error in the call to brute-passonly - should be
brute.passonly.

Thanks nnposter!

Sadly it now just endlessly loops.

<sigh>

Syntax is now:

nmap -p 23 -d3 -n -Pn --script telnet-brute --script-args
brute.passonly=true,passdb=testPasswords.txt,brute.threads=1,brute.start=1
<IPaddy>

:-|



--
View this message in context: http://nmap-dev.996309.n3.nabble.com/nmap-nse-script-telnet-brute-tp28753p28754.html
Sent from the Nmap - Dev mailing list archive at Nabble.com.
bgqueengeek
2017-06-20 00:34:29 UTC
Permalink
Hey all;

Thanks for Dan and nnposter's help in the previous ncrack and now this
telnet-brute threads. Working with script-timeout values to trim the
looping.

Appreciate the help very much!



--
View this message in context: http://nmap-dev.996309.n3.nabble.com/nmap-nse-script-telnet-brute-tp28753p28755.html
Sent from the Nmap - Dev mailing list archive at Nabble.com.
nnposter
2017-06-20 02:02:45 UTC
Permalink
Based on the telnet banner (privately provided) I was able to get hold
of a similar target and to run telnet-brute against it.

An issue in my case was that the authenticated user is presented with a
custom menu that is not matching any of the empirical patterns for
recognizing a successful login.

Please test an updated version of the script from the SVN at
https://svn.nmap.org/nmap/scripts/telnet-brute.nse

It is still possible that your target is presenting some other content,
in which case I will need all the server-side data sent to the client
right after it receives password, up to and including the prompt.


That said, even with the original, unmodified script I have not
experienced the endless looping you are describing. The script ran for
about 15 seconds. (The updated script confirms the correct password in
about 2 seconds.)


Cheers,
nnposter
bgqueengeek
2017-06-21 21:58:26 UTC
Permalink
Thank you nnposter.

Your revised telnet-brute script works as you described!



--
View this message in context: http://nmap-dev.996309.n3.nabble.com/nmap-nse-script-telnet-brute-tp28753p28762.html
Sent from the Nmap - Dev mailing list archive at Nabble.com.
nnposter
2017-06-21 22:23:36 UTC
Permalink
Post by bgqueengeek
Your revised telnet-brute script works as you described!
Thank you for reporting the issue and working with us on the resolution.

Cheers,
nnposter

Loading...