Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] Username/Password NSE library
From: Fyodor <fyodor () insecure org>
Date: Wed, 18 Jun 2008 00:01:23 -0700

On Tue, Jun 17, 2008 at 10:12:16PM -0500, Kris Katterjohn wrote:

Here are some ideas (not mutually exclusive of course):

1) The ability to grab a username or password at a time


2) The ability to grab the full table of usernames or passwords, or a table of
a certain size

You might be able to get by with either #1 or #2.  Though my initial
thought is that #1 would be better in that case.

3) Maybe the ability to grab just "administrator" usernames

Maybe, though as you mentioned theyse may generally be at the top of
the username list anyway.  And a smart script which only wants admin
usernames may be better off using its own list because the script may
know if it is likely to be used against Windows, certain devices with
common admin names, etc.  So it may be able to exclude administrator
names from other platforms.

4) The ability to grab common default username/password pairs for networking

I think these lists would be specific to a certain script which scans
such a device/service, so I'd rather let the script use its own lists.

It would be nice if the library tells whether it is using a
user-provided or default list.  I'd generally probably use more
entries from a user-provided list (perhaps all of them), while a
default list can be limited to a much smaller number.


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]