Avoid false positives in rexec-brute. Fixes #1090

nmap · Jan 22, 2018 · 59f819f · 59f819f
1 parent a67e68b
commit 59f819f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,8 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE][GH#1090] Fix false positives in rexec-brute by checking responses for
+  indications of login failure. [Daniel Miller]
+
 o [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate
   destination directories. [Aniket Pandey]
 

diff --git a/scripts/rexec-brute.nse b/scripts/rexec-brute.nse
@@ -33,6 +33,20 @@ categories = {"brute", "intrusive"}
 
 portrule = shortport.port_or_service(512, "exec", "tcp")
 
+--- Copied from telnet-brute
+-- Decide whether a given string (presumably received from a telnet server)
+-- indicates a failed login
+--
+-- @param str The string to analyze
+-- @return Verdict (true or false)
+local is_login_failure = function (str)
+  local lcstr = str:lower()
+  return lcstr:find("%f[%w]incorrect%f[%W]")
+      or lcstr:find("%f[%w]failed%f[%W]")
+      or lcstr:find("%f[%w]denied%f[%W]")
+      or lcstr:find("%f[%w]invalid%f[%W]")
+      or lcstr:find("%f[%w]bad%f[%W]")
+end
 
 Driver = {
 
@@ -72,7 +86,7 @@ Driver = {
 
     local response
     status, response = self.socket:receive()
-    if ( status ) then
+    if ( status and not is_login_failure(response)) then
       return true, creds.Account:new(username, password, creds.State.VALID)
     end
     return false, brute.Error:new( "Incorrect password" )