Home page logo
/

nmap-dev logo Nmap Development mailing list archives

RE: [RFC] Changes to HTTPAuth, addition of HTTPbrute
From: "Thomas Buchanan" <TBuchanan () thecompassgrp net>
Date: Wed, 25 Jun 2008 08:26:50 -0500

-----Original Message-----
From: Kris Katterjohn [mailto:katterjohn () gmail com] 
Sent: Wednesday, June 25, 2008 12:49 AM
To: Thomas Buchanan
Cc: Nmap Dev
Subject: Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute


I've attached a patch against your HTTPAuth that fixes the warning:

SCRIPT ENGINE: ./scripts/HTTPAuth.nse:48: bad argument #1 to 'len'
(string expected, got nil)

If a server didn't send a 401 message, string.len() was called on
nil.  I just made it return if it wasn't a 401, instead of having
all of the "real" code inside a conditional block.

The patch looks good.  Thanks.

I've also attached a patch to fix some false positives in
HTTPbrute.  I ran it several times, and one time it gave me 7
false positives.  Now that I've fixed that, I'm having the
problem of getting my valid username/password pair to
succeed: all of the requests are getting 401 responses back.  
Maybe this is a problem with the base64 library?  Or maybe I've
done something wrong and will feel stupid after sending this
email :)


I applied your patch for HTTPbrute here, and all of my valid user/pass
combinations are still working.  Not exactly sure what might be the
issue, but three possibilities come to mind:

1. Any chance you may have locked out the user account, so that it's
returning Unauthorized no matter what?

2. My base64 encoding algorithm uses numerical codes from lua's
string.byte() function, which the docs say "are not necessarily portable
across platforms".  I don't know if locale or UTF-8 settings could be a
problem here?

3. The username/password library doesn't strip whitespace from the end
of lines, so maybe an inadvertent space or '\r' could be the culprit?

You can verify that the base64 library is working correctly by using an
online encoders, such as this one:
http://www.motobit.com/util/base64-decoder-encoder.asp

Let me know if there's anything else I can do to help.

Thanks,

Thomas

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]