mailing list archives
Re: HTTP Brute Force NSE script
From: Ron <ron () skullsecurity net>
Date: Wed, 01 Apr 2009 10:20:32 -0500
David Fifield wrote:
For user name and password guessing the preferred approach is to use the
However I have resisted adding new authentication credentials to
http-auth.nse because while it's easy to just add a load of passwords,
all they do is slow a scan down unless they are passwords that are
actually used. I would prefer to see a list of credentials that is
tailored for HTTP services, such as default passwords for weblog
software and home router admin pages, with numbers giving a general idea
of how often they are used.
unpwdb is definitely the way to go. I'm hoping to improve it in the
future, by adding (optional) features for modifying passwords (adding
characters to the end, etc). Maybe we can have a separate "default
password" list, too?
Me and Brandon have been working on improving password lists (mostly
Brandon -- all I've been doing is collecting lists). Basically,
collecting stats on the most common passwords/password forms, and we
will hopefully be able to integrate the new knowledge into unpwdb.
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org