mailing list archives
Request for telnetd heuristics and peculiar services
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Sun, 14 Jun 2009 03:17:03 +0300
I began thinking that the best way to test some aspects of the
dynamic timing engine of Ncrack, is to use it against many different
kinds of services.
There are 2 different things I am planning for the moment:
1) Begin writing the telnetd module. As you probably know, telnet
doesn't have a standard way of letting you know if your
authentication succeeded (if there was a need for one) like ftp does
with the special number codes. Since, Ncrack will need to be able to
understand any exotic routers/switches/printers/devices that have
telnetd enabled, it will probably have to know what kind of
different replies to expect for each authentication phase. A typical
telnetd session goes like this:
Connected to XXX.XXX.XXX.XXX.
Escape character is '^]'.
"Banner goes here"
User Access Verification
% Authentication failed
User Access Verification
The main problem is to be able to discern when we succeed and when
we failed. Afaik most devices just show up a prompt when you login
and that is usually just the symbol '>', although this can possibly
change to '#' or something different than that.
Based on your experience with the telnetd services, what do you
think are the most common prompts and the most common 'failed
authentication' messages? We will need to gather all of them
eventually so if you have in mind any exotic device that uses
something more peculiar, feel free to inform me.
2) I want to test Ncrack against 'strange' service configurations.
One such example is a service that gives you the results with an
exponential delay after each authentication attempt. So for the
first attempt of a connection the results (whether we succeeded or
not) are given e.g after 1 second, for the second attempt after 5
seconds and for the 3rd attempt after 15 seconds or something
similar. Ncrack's timing engine will have to spot this behaviour and
change the number of probes it needs to send in parallel to maximize
its performance. In the above case, it would probably open more
connections and stop at the first authentication attempt for each
So, do you know any such services that have this or similar kind of
behaviour by default? Also, I would like to know about services that
support the manual configuration of this behaviour through their
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org
- Request for telnetd heuristics and peculiar services ithilgore (Jun 14)