Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute
From: Kris Katterjohn <katterjohn () gmail com>
Date: Wed, 25 Jun 2008 12:35:53 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Buchanan wrote:
From: Kris Katterjohn [mailto:katterjohn () gmail com] 

I've attached a patch against your HTTPAuth that fixes the warning:

SCRIPT ENGINE: ./scripts/HTTPAuth.nse:48: bad argument #1 to 'len'
(string expected, got nil)

If a server didn't send a 401 message, string.len() was called on
nil.  I just made it return if it wasn't a 401, instead of having
all of the "real" code inside a conditional block.

The patch looks good.  Thanks.


No problem.

I've also attached a patch to fix some false positives in
HTTPbrute.  I ran it several times, and one time it gave me 7
false positives.  Now that I've fixed that, I'm having the
problem of getting my valid username/password pair to
succeed: all of the requests are getting 401 responses back.  
Maybe this is a problem with the base64 library?  Or maybe I've
done something wrong and will feel stupid after sending this
email :)


I applied your patch for HTTPbrute here, and all of my valid user/pass
combinations are still working.  Not exactly sure what might be the
issue, but three possibilities come to mind:

1. Any chance you may have locked out the user account, so that it's
returning Unauthorized no matter what?


*sigh* That's indeed what it looks like today.  I was logging in through
Firefox while testing to avoid this, but I must've just missed it.  Sorry!

I set up a lighttpd server with basic authorization, and your HTTPbrute script
works fine against it with some slightly-larger 25-entry username and password
lists.

You can verify that the base64 library is working correctly by using an
online encoders, such as this one:
http://www.motobit.com/util/base64-decoder-encoder.asp


Yes, your base64 library does indeed seem to work fine.

Let me know if there's anything else I can do to help.

Thanks,

Thomas

Thanks!,
Kris Katterjohn


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSGKB9v9K37xXYl36AQK+pw//T3kYX74He3JJzr29UsYmJMb70hXN45R2
mInmv097mvCSiHMTivHcwQOzuz/gtp1gw9NMvMWFifZtMTWSXp9aA+TUgWGGhyh2
cvCMlGtOa7QDptRgqB3HwddQKbyraNTuJ8qRnp1DSUWfk8QDO8FxL7bLp3gbSfBW
jl4JawnRdn0Za/7k6wRS76ZufIpFphneUsdne6jUmQ7RRVjds/1cUfHxT5xpp/e7
+fQkFobG88W28u1IrZqjMed8+brUIvcFohLnD1hnZ/CTpApFa575ofH0o5fnldbL
D55a8jnC+5JPPD6cmhK2qXfySllh5a8Bto+jc3gJIwbwf+8VWmSF1jh5XfGrWuPK
cLu/a3aUZ8BjGmqylM3pwSO1xEjQgpNMK1cC5eC0okdRghO5P3BBvIm3WIdsehhi
CMLzvWtM2aNgYXhrpXBKUya2n3VPF3uts/NuPO+WGFoSTu0iHGTxb0Dl/EXLFcpR
smR8Yi/D+C4aUeqHb8MBzVNPFJUWzGFuyLVoV/RVbvUqHk3EAk5lV+QAKfs35+a4
GFuReESacdJZRwIfDJckDc+FSUhwvWzRk0CEAqnDdA0QswE2alRlX0zN0/ZmqbME
FNq6yZcM/2nKBNf46SpGiGj6u5tBYVulPNel1v+VuavvwfdU0B83phk6lxJs8ghx
41fFG5W0ic0=
=k1hg
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault