Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: What would we want in a new Netcat/Hping?
From: Chuck <chuck.lists () gmail com>
Date: Wed, 15 Jun 2005 17:36:32 -0400

- Support for requiring a password to connect to the NetCat2
  listener.

I don't think a clear text password is acceptable, even for this sort
of application.  I added a requirement that authentication and
encryption of the channel be supported as an option.  Maybe this can
be done securely and easily with OpenSSL.

I agree.  Cleartext passwords are unacceptable, but there are other
ways to implement  passwords and there are times when you want to
secure your netcat listener, but don't want to deal with SSL
certificates.  You could implement it as simple as:

- server sends random value to client
- client sends hash of random value + password
- server compares hashes

I just made that up, so there may be flaws in it (it is definitely
vulnerable to a MITM attack, but should be safe from sniffing).  There
are probably a bunch of established algorithms that we could choose
from, but something like this may be good enough because if you want
real security (from things like MITM) you will probably need to use
SSL mutual authentication (or something equally as complicated)
anyway.  You would also want to be able to use a password along with
one of the SSL dh_anon modes to protect the whole session from
sniffing.

Have a good one.

Chuck


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]