Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: backorifice-brute NSE script
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Wed, 4 May 2011 16:52:34 +0300

Cracking BO password should be actually doable by really brute forcing
it. I remember I was doing it for fakebo long time ago. Take a look for
ideas at:
http://fakebo.cvs.sourceforge.net/viewvc/fakebo/fakebo-cvs/fakebo.c?revision=1.1.1.1&view=markup
from line 1022 (it's time when GCC did not have proper optimization so
you had to use lot of if()s)

Without looking at this, there is some cheap computational cracking
you could do, IF you had an encrypted packet. Snort does this for
bypassing BO traffic. However you can not get an encrypted packet
without knowing the password/seed, or wiretapping. I assume nmap is
not the best tool for a wire tapping password detector, but I could be
wrong.

Regarding what info script should display, IMHO it should display only
basics: version info and eventual password as anyway I would take real
client and connect for any further work. I only see usefulness of
extracting bunch of data if that data would be stored in Nmap registry
and reused by some other scripts. Again, it's my personal opinion and
doesn't mean that it is correct...

I think this is not the question Gorjan is asking. As the script uses
the brute library, it will probably use the standard brute library
output style. However, I do think that recording version information
makes sense. The only reason why you would want to avoid this, if you
somehow happened to have better version information from somewhere
else. I think this would never be the case with backorifice-brute.
Also additional info will be displayed by backorifice-info, that
already exists. You can choose to run the brute script alone, if you
want to avoid additional information.

Another questions is, whether or not this should go into the version
category, if it records version information. I think the answer is
not, because brute forcing the seed is a heavy duty operation, and not
something you would want to happen during a regular service scan.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault