Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] New script krb5-enum-users
From: Duarte Silva <duarte.silva () serializing me>
Date: Sat, 22 Oct 2011 11:54:14 +0100

Hi,

after looking at Patrik new kerberos user enumeration script, it got me 
tinkering about the categories of user enumeration scripts. After some 
grep'ing I got the following categories (I may have missed some?).

domino-enum-users.nse:categories = {"intrusive", "auth"}
http-userdir-enum.nse:categories = {"discovery", "intrusive"}
krb5-enum-users.nse:categories = {"auth", "discovery", "safe"}
mysql-users.nse:categories = {"discovery", "intrusive"}
ncp-enum-users.nse:categories = {"discovery", "safe"}
oracle-enum-users.nse:categories = {"intrusive", "auth"}
sip-enum-users.nse:categories = {"intrusive", "auth"}
smb-enum-users.nse:categories = {"discovery","intrusive"}
smtp-enum-users.nse:categories = {"discovery","external","intrusive"}
snmp-win32-users.nse:categories = {"default", "discovery", "safe"}
http-wordpress-enum.nse:categories = {"discovery", "auth", "intrusive", 
"vuln"}

Taking into account the NSE categories descriptions [1], with the exception of 
snmp-win32-users.nse and ncp-enum-users.nse, all the scripts should, in my 
opinion, be considered intrusive since they will brute force the user names.

The discovery category would be removed from all of them since we aren't 
"discover(ing) more about the network by querying public registries".

All of them would be in the auth category. Any thoughts? Ideas?

Regards,
Duarte Silva

[1] http://nmap.org/book/nse-usage.html#nse-categories

On Thursday 20 October 2011 03:56:48 you wrote:
Hi all,

I've added a new script called krb5-enum-users that does user enumeration
over Kerberos:

The script discovers valid usernames by querying the Kerberos service for a
TGT.
When an invalid username is requested the server will responde using the
Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to
determine
that the user name was invalid. Valid user names will illicit either the
TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED,
signaling
that the user is required to perform pre authentication.

Cheers,
Patrik
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Attachment: smime.p7s
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]