Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 13 Nov 2011 11:00:29 +0100

On Fri, Nov 11, 2011 at 11:13 PM, Vlatko Kosturjak <kost () linux hr> wrote:

On 11/11/2011 07:27 PM, Patrik Karlsson wrote:

Hi Kost,

The attached patch contains some cleanup of the nexpose-brute script.
Before I commit it though I wanted to get some opinions from the list in
regards to account lockout.

In general I haven't bothered too much with account lockout before, but
Nexpose locks accounts after 4 incorrect attempts per default. In the
community edition I have been testing it against, I can't get back in
without restarting the as the only account I have gets locked. So, my
question is, do we need to address this in some way, limiting the amount
tries to 3 per account and allowing the user to force more attempts
a script argument?

Yes, NeXpose is the only one which have account lockout in place. How it
is done for other protocols now?


Hi Kost,

It's not handled for any other protocols making use of the brute library as
far as I know as the library did not support it until now (r27081).
They way you could handle it in the past was by just supplying less
passwords than the lockout limit in the dictionary.
However, I've added a brute option called max_guesses that can be set
either by the script or through the brute.guesses argument.
When this option is set it will keep track of the amount of guesses
performed against an account and stop when it reaches the limit.
In the nexpose-brute script I'm setting it to 3 attempts and suggest we
commit it that way?
The brute library will return an additional line with information in the
result to indicate that the guesses were "capped" like this:

3780/tcp open  unknown syn-ack
| nexpose-brute:
|   Accounts
|     No valid accounts found
|   Statistics
|     Performed 12 guesses in 1 seconds, average tps: 12
|   Information
|_    Guesses restricted to 3 tries per account to avoid lockout
Final times for host: srtt: 1151 rttvar: 3273  to: 100000

I'm attaching the latest version of the script, let me know what you think.

Patrik Karlsson

Attachment: nexpose-brute.nse

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]