mailing list archives
Re: HTTP Brute Force NSE script
From: Thomas Buchanan <tbuchanan () thecompassgrp net>
Date: Thu, 02 Apr 2009 09:39:37 -0500
Hey David, thanks a lot for the feedback.
On Wed, Apr 1, 2009 at 11:57 AM, David Fifield <david () bamsoftware com> wrote:
On Wed, Apr 01, 2009 at 04:13:07AM -0300, João wrote:
Today I was studying about coding in NSE and for such task I've tried
to develop a simple script. I've based myself in the other scripts
that are available with nmap and I've written a small script for
performing HTTP Brute Forcing based on wordlists.
Yes. Actually I've used http-auth.nse as a reference for the
authorization requests. http-auth-nse only checks if the server
requires authorization and attempts two pairs of login/password. The
script I've written collects pairs from files with usernames and
passwords. The basic advantage is having files for that, and not
keeping the data inside the script.
Last June , I submitted a patch to remove the password guessing from
http-auth and move it to its own separate script, which used the unpwdb
library. These changes were never accepted, and I didn't have time to
pursue it any further, but there might be some things in that thread
that are of use to you.
I still think that the discovery of web services and urls that require
authentication should be separate from the actual brute forcing. I'd
encourage you to continue working on these scripts. I would love to see
http-auth (or one of the other web server discovery scripts) extended so
that it looks for common subfolders (for example, many Windows servers
have a /printer/ directory) or other urls that require authentication,
then passes that list off to the http brute forcing script. I think
this could be accomplished using the NSE concept of runlevels and
possibly the use of the registry to retain information between script runs.
It would also be great to see any http brute forcing scripts extended to
support multiple types of authentication. As David indicated, there
have been efforts to integrate Digest authentication brute forcing, but
the current status is unknown. I'd be very curious to see if Ron's work
with SMB and NTLM would allow us to do http brute forcing against
Windows servers that require NTLM authentication. Sadly I don't have
time to look into that myself.
Anyway, good luck with your GSoC application, and happy coding!
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org