Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[NSE] http gitweb projects enum
From: riemann <riemann () opendz org>
Date: Fri, 20 Apr 2012 04:39:27 +0100

Hi list,
This a script to enumerate public projects diplayed with gitweb.
Also in most case the author column in project list can be used
in bruteforce operation as a username, are there any solution
to add a list of user collected by this script to unpawdb and use
it in an other script?

This is what proposed from djalal harouni after some private talk about
the probleme

What do you think of this proposition:
Can we add support for in memory usernames/passwords addition ?
add them to the 'usertable' or 'passtable' tables of unpwdb.lua library
and give them precedence over the usernames/passwords that are
retrieved from a file ? should we link them to their host ? or just use 'nmap.registry[self.host.ip].unpawdb_entries' ? We can consider the
creds.lua library but that one seems more for reporting only (output),
but I'm not sure, perhaps we should just add the state LIKELY_VALID
and push them there for output and avoid updating unpwdb.lua entries
for input ? Well public cvs,svn,git logs are for diffs not for crack-me...
Note: the creds.lua library has the logic to attach entries to their host.
If we push them into unpwdb.lua tables then all the brute scripts
will use them automatically... a positive point, but abuses will eat memory...
Thoughts ?

Thx.

Attachment: http-gitweb-projects-enum.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]