mailing list archives
Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute
From: Kris Katterjohn <katterjohn () gmail com>
Date: Wed, 25 Jun 2008 12:35:53 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Thomas Buchanan wrote:
From: Kris Katterjohn [mailto:katterjohn () gmail com]
I've attached a patch against your HTTPAuth that fixes the warning:
SCRIPT ENGINE: ./scripts/HTTPAuth.nse:48: bad argument #1 to 'len'
(string expected, got nil)
If a server didn't send a 401 message, string.len() was called on
nil. I just made it return if it wasn't a 401, instead of having
all of the "real" code inside a conditional block.
The patch looks good. Thanks.
I've also attached a patch to fix some false positives in
HTTPbrute. I ran it several times, and one time it gave me 7
false positives. Now that I've fixed that, I'm having the
problem of getting my valid username/password pair to
succeed: all of the requests are getting 401 responses back.
Maybe this is a problem with the base64 library? Or maybe I've
done something wrong and will feel stupid after sending this
I applied your patch for HTTPbrute here, and all of my valid user/pass
combinations are still working. Not exactly sure what might be the
issue, but three possibilities come to mind:
1. Any chance you may have locked out the user account, so that it's
returning Unauthorized no matter what?
*sigh* That's indeed what it looks like today. I was logging in through
Firefox while testing to avoid this, but I must've just missed it. Sorry!
I set up a lighttpd server with basic authorization, and your HTTPbrute script
works fine against it with some slightly-larger 25-entry username and password
You can verify that the base64 library is working correctly by using an
online encoders, such as this one:
Yes, your base64 library does indeed seem to work fine.
Let me know if there's anything else I can do to help.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org