Home page logo

nmap-dev logo Nmap Development mailing list archives

brute.lua, unpwdb.lua, custom iterators and flexibility
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Wed, 27 Jun 2012 17:11:16 +0200

Hi all,

I have a small report here about some ideas regarding brute scripts.

After some discussion, we came to the conclusion that it would
be nice to be able to add a specific username to try when bruteforcing.
For example, I want to add a username "ftp" to ftp-brute along with the rest
of the usernames and passwords form unpwdb.

Now, there are three logical options:
1) Add custom usernames and password pairs
  - this can be accomplished with specifying a custom iterator and
then using the unpwdb.usernames()
and passwords() to add another iterator that would test default set
(this would be a default iterator)
2) Adding just username to test against all passwords form unpwdb
  - this _could_ be accomplished by adding a custom iterator with
table for usernames and unpwdb.passwords() iterator
for passwords and then adding a "default" iterator. This would test
all the passwords against our specified username
and then proceed to test the default set. I say "could be" because the
current code for account_iterator has this:
if ( 'table' == type(users) and 'table' == type(pass) ) then
elseif ( 'function' == type(users) and 'function' == type(pass) ) then

This means that we can only specify an iterator with either both
usernames and passwords as tables or functions
and not , for example, table of usernames and iterator for passwords.
This could easily be expanded for more flexibility by adding two more
elseif blocks for remaining combinations.
What do you think about this ? I could add the code if you agree this
would be an improvement.
It wouldn't break any existing scripts (as far as i can see) and the
future (or even revision of existing) scripts could
benefit from this flexibility. I think it's only natural to be able to
"mix tables and functions" here since username iterators
are already abstracted in unpwdb.Actually, I wrote the script assuming
it already works like that, but then checked the code.
Please comment about this, and I'll get it done.

3)  Prepend or append username(s) to the list of usernames from unpwdb
  - say we just wanted to add a few usernames to be tested first with
the default iterator. This could be accomplished
by some small modifications of unpwdb library. For example, to specify
few additional tables, for usernames and passwords,
empty by default, to which a script could append and then in the
usernames_raw and passwords_raw functions check if those are
not empty and add them to the appropriate tables. Of course, there
could be other ways to accomplish this.

Both propositions in options 2) and 3) would (as far as i can see)
pose no performance penalty as those things would be only
done once, before the actual bruteforcing starts.

All this would add additional flexibility for brute scripts. For
example, oracle-brute script could be extended
to test default accounts against unpwdb's list of passwords, tho I'm
not sure this is the great example :).
Many services, such as ftp, usually have default usernames (ftp here)
that could easily be added.

As always, please comment, and if we agree on any of this , I'd be
more than happy to implement it.

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]