description = [[
Tries to get FTP login credentials by guessing usernames and passwords.
This uses the standard unpwdb username/password list. However, in tests FTP servers are
significantly slower than other servers when responding, so the number of usernames/passwords
can be artificially limited using script arguments.
]]
---
-- @output
-- PORT STATE SERVICE REASON
-- 21/tcp open ftp syn-ack
-- | ftp-brute:
-- | | anonymous: IEUser@
-- |_ |_ test: password
--
-- @args userlimit The number of user accounts to try (default: unlimited).
-- @args passlimit The number of passwords to try (default: unlimited).
-- @args limit Set <code>userlimlt</code> and <code>passlimit</code> at the same time.
-- 2008-11-06 Vlatko Kosturjak <kost@linux.hr>
-- Modified xampp-default-auth script to generic ftp-brute script
--
-- 2009-09-18 Ron Bowes <ron@skullsecurity.net>
-- Made into an actual bruteforce script (previously, it only tried one username/password).
author = "Diman Todorov, Vlatko Kosturjak, Ron Bowes"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"auth", "intrusive"}
require "shortport"
require "stdnse"
require "unpwdb"
portrule = shortport.port_or_service(21, "ftp")
local function get_limits()
local userlimit = -1
local passlimit = -1
if(nmap.registry.args.userlimit) then
userlimit = tonumber(nmap.registry.args.userlimit)
end
if(nmap.registry.args.passlimit) then
passlimit = tonumber(nmap.registry.args.passlimit)
end
if(nmap.registry.args.limit) then
userlimit = tonumber(nmap.registry.args.limit)
passlimit = tonumber(nmap.registry.args.limit)
end
return userlimit, passlimit
end
local function login(host, port, user, pass)
local status, err
local res = ""
-- Create a new socket
local socket = nmap.new_socket()
status, err = socket:connect(host, port)
if(not(status)) then
socket:close()
return false, "Couldn't connect to host: " .. err
end
status, err = socket:send("USER " .. user .. "\r\n")
if(not(status)) then
socket:close()
return false, "Couldn't send login: " .. err
end
status, err = socket:send("PASS " .. pass .. "\n\n")
if(not(status)) then
socket:close()
return false, "Couldn't send login: " .. err
end
-- Create a buffer and receive the first line
local buffer = stdnse.make_buffer(socket, "\r?\n")
local line = buffer()
-- Loop over the lines
while(line)do
stdnse.print_debug("Received: %s", line)
if(string.match(line, "^230")) then
stdnse.print_debug(1, "ftp-brute: Successful login: %s/%s", user, pass)
socket:close()
return true, true
elseif(string.match(line, "^530")) then
socket:close()
return true, false
elseif(string.match(line, "^220")) then
elseif(string.match(line, "^331")) then
else
stdnse.print_debug(1, "ftp-brute: WARNING: Unhandled response: %s", line)
end
line = buffer()
end
socket:close()
return false, "Login didn't return a proper response"
end
local function go(host, port)
local status, err
local result
local userlimit, passlimit = get_limits()
local authcombinations = {
{user="anonymous", password="IEUser@"}, -- Anonymous user
{user="nobody", password="xampp"} -- XAMPP default ftp
}
-- Load accounts from unpwdb
local usernames, username, passwords, password
-- Load the usernames
status, usernames = unpwdb.usernames()
if(not(status)) then
return false, "Couldn't load username list: " .. usernames
end
-- Load the passwords
status, passwords = unpwdb.passwords()
if(not(status)) then
return false, "Couldn't load password list: " .. usernames
end
-- Figure out how many
local i = 0
local j = 0
-- Add the passwords to the authcombinations table
password = passwords()
while (password) do
-- Limit the passwords
i = i + 1
if(passlimit > 0 and i > passlimit) then
break
end
j = 0
username = usernames()
while(username) do
-- Limit the usernames
j = j + 1
if(userlimit > 0 and j > userlimit) then
break
end
table.insert(authcombinations, {user=username, password=password})
username = usernames()
end
usernames('reset')
password = passwords()
end
stdnse.print_debug(1, "ftp-brute: Loaded %d username/password pairs", #authcombinations)
local results = {}
for _, combination in ipairs(authcombinations) do
-- Attempt a login
status, result = login(host, port, combination.user, combination.password)
-- Check for an error
if(not(status)) then
return false, result
end
-- Check for a success
if(status and result) then
table.insert(results, combination)
end
end
return true, results
end
action = function(host, port)
local response = {}
local status, results = go(host, port)
if(not(status)) then
return stdnse.format_output(false, results)
end
if(#results == 0) then
return stdnse.format_output(false, "No accounts found")
end
for i, v in ipairs(results) do
table.insert(response, string.format("%s: %s\n", v.user, v.password))
end
return stdnse.format_output(true, response)
end
Copyright 2K16 - 2K18 Indonesian Hacker Rulez