mailing list archives
Re: [RFC] Username/Password NSE library
From: Kris Katterjohn <katterjohn () gmail com>
Date: Wed, 18 Jun 2008 11:57:21 -0500
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Jun 17, 2008 at 10:12:16PM -0500, Kris Katterjohn wrote:
Here are some ideas (not mutually exclusive of course):
1) The ability to grab a username or password at a time
2) The ability to grab the full table of usernames or passwords, or a table of
a certain size
You might be able to get by with either #1 or #2. Though my initial
thought is that #1 would be better in that case.
Well, if it's between the two, I would definitely choose #1 (and that seems to
be the general opinion).
3) Maybe the ability to grab just "administrator" usernames
Maybe, though as you mentioned theyse may generally be at the top of
the username list anyway. And a smart script which only wants admin
usernames may be better off using its own list because the script may
know if it is likely to be used against Windows, certain devices with
common admin names, etc. So it may be able to exclude administrator
names from other platforms.
This sounds reasonable to me.
4) The ability to grab common default username/password pairs for networking
I think these lists would be specific to a certain script which scans
such a device/service, so I'd rather let the script use its own lists.
This too sounds reasonable.
It would be nice if the library tells whether it is using a
user-provided or default list. I'd generally probably use more
entries from a user-provided list (perhaps all of them), while a
default list can be limited to a much smaller number.
That's a good idea! I think the simplest way would be to have a boolean
return value, probably true for a user-defined list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org