Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: HTTP Brute Force NSE script
From: Ron <ron () skullsecurity net>
Date: Wed, 01 Apr 2009 10:20:32 -0500

David Fifield wrote:
For user name and password guessing the preferred approach is to use the
unpwdb module.


However I have resisted adding new authentication credentials to
http-auth.nse because while it's easy to just add a load of passwords,
all they do is slow a scan down unless they are passwords that are
actually used. I would prefer to see a list of credentials that is
tailored for HTTP services, such as default passwords for weblog
software and home router admin pages, with numbers giving a general idea
of how often they are used.

David Fifield

unpwdb is definitely the way to go. I'm hoping to improve it in the future, by adding (optional) features for modifying passwords (adding characters to the end, etc). Maybe we can have a separate "default password" list, too?

Me and Brandon have been working on improving password lists (mostly Brandon -- all I've been doing is collecting lists). Basically, collecting stats on the most common passwords/password forms, and we will hopefully be able to integrate the new knowledge into unpwdb.


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]