Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] Username/Password NSE library
From: Kris Katterjohn <katterjohn () gmail com>
Date: Thu, 19 Jun 2008 16:54:57 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fyodor wrote:
On Tue, Jun 17, 2008 at 10:12:16PM -0500, Kris Katterjohn wrote:
Here are some ideas (not mutually exclusive of course):

1) The ability to grab a username or password at a time

OK.

2) The ability to grab the full table of usernames or passwords, or a table of
a certain size

You might be able to get by with either #1 or #2.  Though my initial
thought is that #1 would be better in that case.

3) Maybe the ability to grab just "administrator" usernames

Maybe, though as you mentioned theyse may generally be at the top of
the username list anyway.  And a smart script which only wants admin
usernames may be better off using its own list because the script may
know if it is likely to be used against Windows, certain devices with
common admin names, etc.  So it may be able to exclude administrator
names from other platforms.

4) The ability to grab common default username/password pairs for networking
devices

I think these lists would be specific to a certain script which scans
such a device/service, so I'd rather let the script use its own lists.

It would be nice if the library tells whether it is using a
user-provided or default list.  I'd generally probably use more
entries from a user-provided list (perhaps all of them), while a
default list can be limited to a much smaller number.


So what are your thoughts on how long the default lists should be?  The
general consensus seems to be fairly small (a few hundred).

Cheers,
-F

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSFrVsP9K37xXYl36AQJZvQ//VpnKNpAPqnnolcfNJKz5fUMetWKMPM8F
w9CMiH4GN+w3NOQzCwwGPXlvGSbXy7qe/EqiYNb7Xd3MUDz3tXf+7lijFPTc9WX3
eD9VMpULi4mE0QS7kS4QoFzsyYeXxmuiAPFPG//8V86sIUM9A1y77d0OywHTSD8X
2TKG3tXnKyiEKjzy4mEx5lNupNi9Fdgja5VJ3WvLwHgAA+VxMybjXIxl9mYnzXka
cKOsObupZ30+38NneUKu6Qn1IE5wfif9jL5POIUMDRi1I0EJd77SrkjaXi0/cll8
/XDmymbyJpRXKDkuKKw81sAEF8jL6Jew1zTP0tD6BadKMQP5JOlZTyEaaB6XZlu8
0si0tcO7DtbfyojCZKY1n+NbI46oiVEzYVtjfz7aZV6kEgFp04K6QDPl+EgQbaCi
a8FJDG6j0zBc0KEmq64VhDPorqPp5xh2Kw7QpVrtPEkMipWkCqkSHVsf2dhLt1cG
kP1Nh628XegQQyOoHBfiqYd0t33MthqtL1azdkt3svuy9ACUgst0MuiHAvAD3gHr
H+MLRFlulyyvlwoU6Q8DvG8noRF2pH4vgWwX14arazmNou8CG8I5ZwIDMHL1QwCQ
k9O61Tzzr/W8Vu7fLp04lDUf/+EO39BQyCbH5EqESU2P1z14vE8m61rzCFhwF5nK
vGQZzKVdh1c=
=rMSZ
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]