Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] Username/Password NSE library
From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 17 Jun 2008 22:12:16 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Sellers wrote:
Kris Katterjohn wrote:
Now I need opinions on good username and password lists to ship and use by
default.  There is an ordered password list shipped with John the Ripper which
has 3107 entries.  The license[1] pretty much says we can distribute it if we
give credit and also ship the license.  Are there any ideas on a better list?

What about a good username list?


I suggest checking some of the Internet lists of default username/password
pairs.  It is ridiculous how often I come across equipment that has been
install and left in its default state.


What type of API and functionality would you guys like from this library?
When Fyodor and I first discussed this, it seemed pretty simple: you can grab
usernames or passwords one-at-a-time.  But now you guys are thinking of good,
but different, ideas on how this library would work.

I think pairs like this would be nice, but it doesn't fit into the current
design; but is certainly OK by me.

Here are some ideas (not mutually exclusive of course):

1) The ability to grab a username or password at a time

2) The ability to grab the full table of usernames or passwords, or a table of
a certain size

3) Maybe the ability to grab just "administrator" usernames

4) The ability to grab common default username/password pairs for networking
devices

It may also make sense to order this list such that more common software/devices
occur first.  If you like I can gather some of this information and condense
it down.


It'd be great if you could do that.  It's better to have too many than miss out.

If you think these usernames and passwords would not be appropriate for your
application I may roll them into generic scripts based on protocol, such as
ftp, http, ssh, etc.

Thanks,
Tom


Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSFh9D/9K37xXYl36AQKwsxAAj+uyPItqK0uqj31H/q7mEC31CHxHWmMC
KI3MSa9q1gCXYrbuEkEbANWc2QXSt10gGpl951ksTn7YjGno0/LQSanTYnMCkyJE
Rg7EHNraH5F6zohFDZCzK1PiVrvrdfkEoCfIYNRWG/LQBrPas91MIFvv/udZHkkH
VShJcGI03aXyHbz5oM9/6ub2SrbX7B7QS6XvXX65GC1QyGbGhP9sfd9ICzNy+yp+
0wz7+5il40Ji1f7xnUzM7ns6dI7RjJcv9HnfQ7sUIm3cV7ZTDNj3gbDfna755Eh1
oHgBrolVqLDVjjqkBpK8aF+TVlm9pQF6HBTgSPvkcaqDoTkC3SP8Ikhb1dwUzbvp
MkHfQrz1B+y7WpJSfoQUJkJ6n897SRr/mFtk1PADLE3KU2DQTASH3cnhHy/hFG3z
fjaurfo3fqJtBy8y1IIv1qYK1HW+FrbFwQkkiHFHazleotanNcCs/+8AZbN0RDPZ
JV3RX4U/Yg+S8bQanJfDV6xx7ckDn9TFdHpBS1XoN53QHlYaQ2E00sseCKtA0XYP
A2r7SqrQs417R/KtrvbO2kmZBMuEZz62vunq2n/cBF+TNBZ+ons+eF+BqUUqrWIr
Dx0I6vCcigdPlNeR5XyCxNcgU3eYiBT0fp2RhVFNpkCgKb1JCYL0gCR3VSTUHKzb
2X5h5Y3LHJ4=
=PM6N
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault