Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: http-brute fails on json-rpc
From: David Fifield <david () bamsoftware com>
Date: Wed, 27 Apr 2011 21:15:48 -0700

On Mon, Mar 21, 2011 at 09:57:20PM +0200, Toni Ruottu wrote:
I tested http-brute script against a json-rpc service. The script
failed to detect the valid credentials. It tried the correct
credentials against the daemon, but the payload was an invalid
json-rpc message so the daemon returned code 500 (~parse error). I
have attached a patch that fixes the problem by adding code 500 to
indicate success. The original code has a comment that discusses the
problem. The comment mentions that code 500 is a likely candidate for
being added in the future. If the patch is applied the comment should
probably be updated as well, but I left it as it is for now.

There may still be some other codes that deserve to be among the ones
that indicate success. We could create a heuristic that tests a few
long random strings against a service to see which codes are returned
on failure. We could then interpret any other codes as success. At
least we could print such candidates to debugging output.

Thanks, this is a good suggestion. I didn't see a reason to allow 500
but prohibit other 5xx codes, so I changed it to allow all of them (I
expect that 500 is the most common).

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
  • Re: http-brute fails on json-rpc David Fifield (Apr 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]