mailing list archives
Re: [RFC] Username/Password NSE library
From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 17 Jun 2008 22:12:16 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Tom Sellers wrote:
Kris Katterjohn wrote:
Now I need opinions on good username and password lists to ship and use by
default. There is an ordered password list shipped with John the Ripper which
has 3107 entries. The license pretty much says we can distribute it if we
give credit and also ship the license. Are there any ideas on a better list?
What about a good username list?
I suggest checking some of the Internet lists of default username/password
pairs. It is ridiculous how often I come across equipment that has been
install and left in its default state.
What type of API and functionality would you guys like from this library?
When Fyodor and I first discussed this, it seemed pretty simple: you can grab
usernames or passwords one-at-a-time. But now you guys are thinking of good,
but different, ideas on how this library would work.
I think pairs like this would be nice, but it doesn't fit into the current
design; but is certainly OK by me.
Here are some ideas (not mutually exclusive of course):
1) The ability to grab a username or password at a time
2) The ability to grab the full table of usernames or passwords, or a table of
a certain size
3) Maybe the ability to grab just "administrator" usernames
4) The ability to grab common default username/password pairs for networking
It may also make sense to order this list such that more common software/devices
occur first. If you like I can gather some of this information and condense
It'd be great if you could do that. It's better to have too many than miss out.
If you think these usernames and passwords would not be appropriate for your
application I may roll them into generic scripts based on protocol, such as
ftp, http, ssh, etc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org