Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] Username/Password NSE library
From: Fyodor <fyodor () insecure org>
Date: Thu, 19 Jun 2008 15:02:23 -0700

On Thu, Jun 19, 2008 at 04:54:57PM -0500, Kris Katterjohn wrote:

So what are your thoughts on how long the default lists should be?  The
general consensus seems to be fairly small (a few hundred).

I think it is fine for the library to have reasonably long lists (such
as thousands or maybe even tens of thousands of passwords).  As long
as they are ordered by frequency, the scripts themselves can decide
how many to take.  Different authentication methods take very
different lengths of time to test each user/password combination, so I
don't think there will be a one-size fits all rule like "scripts will
try the first 300".  We might even want the scripts to just keep
trying passwords until a certain amount of clock time has passed,
rather than based on number of passwords.


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]