Feaure skipping closed ports#2
Conversation
strikoder
left a comment
strikoder
left a comment
There was a problem hiding this comment.
Instead of using nc for port checking, I'd prefer we just inspect the nxc output from the domain auth attempt, if it shows a connection failure (e.g. Connection refused, timed out, no route to host, or simply no ouput), skip the local auth entirely. The sleep 1 between the two calls is a natural place to add that check, and it avoids the nc dependency and its cross-platform issues altogether.
| PROTOCOL_MAP[9]="vnc" | ||
| PROTOCOL_MAP[10]="nfs" | ||
|
|
||
| declare -A protocol_ports=( |
There was a problem hiding this comment.
Since protocol_ports already defines all protocols as keys, the "all" branch in the if/else below is redundant. You can replace PROTOCOLS=("smb" "winrm" ...) with PROTOCOLS=(${!protocol_ports[@]}) to derive it directly from the array. This way if someone adds a new protocol to protocol_ports in the future, the "all" case picks it up automatically without needing to edit two separate parts of the code.
Nevertheless, that said, see my comment below about replacing the nc port check entirely: if we go that route, protocol_ports itself may no longer be needed, which would make this point irrelevant anyway.
| echo -e "${BLUE}[*] Starting credential validation...${NC}" | ||
| echo -e "${YELLOW}[*] Press Ctrl+C once to skip current test, twice within ${INTERRUPT_TIMEOUT}s to exit${NC}\n" | ||
|
|
||
| # Ping could be disabled, so just warn the user |
There was a problem hiding this comment.
I'm not a fan of the ping warning. In most real pentesting scenarios ICMP is blocked at the firewall, so this will almost always fire as a false alarm and just adds noise, and you most likely won't need it in a ctf env.
| # First test if target is running service on the expected port | ||
| if ! [[ -z "${protocol_ports[$protocol]}" ]]; then | ||
| # We have a port to test this protocol | ||
| if !(nc -z -w 5 $TARGET ${protocol_ports[$protocol]} > /dev/null 2>&1); then |
There was a problem hiding this comment.
Instead of using nc for port checking, I think it would be cleaner to inspect the nxc output after the first domain auth attempt. If nxc failed to connect (e.g. Connection refused, timed out, no route to host), there's no point running the local auth attempt right after; the port is clearly closed or unreachable. This way we avoid the nc dependency entirely and the existing sleep 1 between domain and local auth is a natural place to add that check.
2 participants
Hi again!
I've added a check to ping the target and warn the user if it is not pingable (Tool continues, sometimes hosts block ping probes). I've also added a check that tries to netcat to each service before starting to spray credentials on it, if it can't it warns the user AND skips the test.