Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: ftp brute using brute lib
From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 14 May 2012 21:07:41 +0200

On Sun, May 13, 2012 at 5:51 PM, Aleksandar Nikolic
<nikolic.alek () gmail com>wrote:

I've made those changes.
See the attached script.

On Sun, May 13, 2012 at 1:15 PM, Patrik Karlsson <patrik () cqure net> wrote:



On Sun, May 13, 2012 at 1:07 PM, Aleksandar Nikolic <
nikolic.alek () gmail com> wrote:

Hi all,


I needed to get to know the brute lib so I rewrote the ftp bruteforce
script
using brute lib. It reuses the same code from ftp-brute.nse modified
to use brute lib.

In my tests it has proven to be a lot faster than the previous version.
For example:
|   Statistics
|_    Performed 510 guesses in 610 seconds, average tps: 0

Check it out , and let me know what I need to improve.

,
Aleksandar

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



Hi Aleksander,

I had a quick look at it and I would suggest the following:
- Remove the check function in the Driver, it's no longer being used
- Connect the socket in the connect method, otherwise you may end up
having trouble when the maximum open sockets is reached. What happens is
that the brute library has pulled a user + password combination from the
queue when calling login and if the socket blocks at this point (doesn't
move passed connect) these credentials (being early in the list) won't be
guessed until the end, when sockets are starting to close.
- Close the socket in the disconnect function, for the same reason as
already mentioned.

You can check out some of the recent brute scripts to see how to do this,
but essentially you create the socket as self.socket = nmap.new_socket()
and it will be accessible in the other methods as self.socket.

Cheers,
Patrik
--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Hi Aleksander,

I tested your script and noticed two things:
1. The throughput could be further improved by lowering the socket timeout
to a value below the timeout value for incorrect login attempts. In my
quick tests I noticed a 4x speed increase will still giving me stable
results.
2. When an unhandled response occurs the script would miss the username and
password that generated the bad response. I've changed the code so that
this combination is retried instead until the max count of retries at which
point the brute engine aborts.

I've attached a patch with the changes. If you feel comfortable with them,
feel free to commit the updated script.
Good work!
//Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77

Attachment: ftp-brute.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault