Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: HTTP Brute Force NSE script
From: Thomas Buchanan <tbuchanan () thecompassgrp net>
Date: Thu, 02 Apr 2009 09:39:37 -0500

João wrote:
Hey David, thanks a lot for the feedback.

On Wed, Apr 1, 2009 at 11:57 AM, David Fifield <david () bamsoftware com> wrote:
On Wed, Apr 01, 2009 at 04:13:07AM -0300, João wrote:
Today I was studying about coding in NSE and for such task I've tried
to develop a simple script. I've based myself in the other scripts
that are available with nmap and I've written a small script for
performing HTTP Brute Forcing based on wordlists.

Yes. Actually I've used http-auth.nse as a reference for the
authorization requests. http-auth-nse only checks if the server
requires authorization and attempts two pairs of login/password. The
script I've written collects pairs from files with usernames and
passwords. The basic advantage is having files for that, and not
keeping the data inside the script.

Hi João,

Last June [1], I submitted a patch to remove the password guessing from http-auth and move it to its own separate script, which used the unpwdb library. These changes were never accepted, and I didn't have time to pursue it any further, but there might be some things in that thread that are of use to you.

I still think that the discovery of web services and urls that require authentication should be separate from the actual brute forcing. I'd encourage you to continue working on these scripts. I would love to see http-auth (or one of the other web server discovery scripts) extended so that it looks for common subfolders (for example, many Windows servers have a /printer/ directory) or other urls that require authentication, then passes that list off to the http brute forcing script. I think this could be accomplished using the NSE concept of runlevels and possibly the use of the registry to retain information between script runs.

It would also be great to see any http brute forcing scripts extended to support multiple types of authentication. As David indicated, there have been efforts to integrate Digest authentication brute forcing, but the current status is unknown. I'd be very curious to see if Ron's work with SMB and NTLM would allow us to do http brute forcing against Windows servers that require NTLM authentication. Sadly I don't have time to look into that myself.

Anyway, good luck with your GSoC application, and happy coding!


[1] http://seclists.org/nmap-dev/2008/q2/0850.html

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]