Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: nse crypto
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Sun, 13 Mar 2011 02:48:03 +0200

One debug message is still lacking <empty>. It tells me
NSE: Found valid password  on target ::

On Sun, Mar 13, 2011 at 2:05 AM, Toni Ruottu <toni.ruottu () iki fi> wrote:
Seems to work. Thanks for the fix!

On Sun, Mar 13, 2011 at 1:51 AM, Patrik Karlsson <patrik () cqure net> wrote:
Thanks Toni. I've committed a fix in r22561.

//Patrik

Den 2011-03-13 00.39 skrev Toni Ruottu <toni.ruottu () iki fi>:

Debug output tells me:
NSE: Trying <empty> against 127.0.0.1:9929

but the result ends up stating:
9929/tcp open  nping-echo syn-ack
| nping-brute:
|   Accounts
|      => Login correct
|   Statistics
|_    Perfomed 10 guesses in 10 seconds, average tps: 1

You can run an nping server with empty password by commanding:
nping --es ""
Nping ships with nmap. So you should have it, if you have installed a
relatively new nmap on your system.

On Sat, Mar 12, 2011 at 6:32 PM, Patrik Karlsson <patrik () cqure net> wrote:


Den 2011-03-12 16.56 skrev Toni Ruottu <toni.ruottu () iki fi>:

Here is a new version that uses the brute library. I did not notice
any speed ups, but using the library seems a good idea anyway, as it
makes this work similarly to other scripts.

Should the library replace an empty password with <empty> when it is
reporting results? I though I should not do that, as the library could
define a standard way for doing such things.

The library should replace an empty password with <empty>. In case it
doesn't this is a bug.
I don't have a nping server setup myself to test this though.
I've tested the script against the IP below and it works for me.
I get roughly one try per second.


On Fri, Mar 11, 2011 at 10:25 PM, David Fifield <david () bamsoftware com>
wrote:
On Fri, Mar 11, 2011 at 02:29:39AM +0200, Toni Ruottu wrote:
I got the script written using openssl. In the end the crypto was
surprisingly manageable, compared to dealing with IPv6 addresses. :-)

I have attached the script to this email. I am running an instance of
nping echo server with password 12345 at 174.129.239.201 Feel free to
test the script against it by commanding

nmap 174.129.239.201 -p 9929 --script=nping-brute

Trying out passwords is somewhat slow, so testing with really easy
ones may be a good idea. Add -d -d to the command line to see
progress.

I tried it. It found the correct password after three guesses in 6
seconds. It seems to do about 1 guess per second on another server.

I think the way to speed it up is to use the brute.lua library. See
Patrik Karlsson's brute scripts for examples of using it.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

//Patrik







_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault