Re: [RFC] Username/Password NSE library

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 17 Jun 2008 15:46:09 -0500
Kris Katterjohn <katterjohn () gmail com> wrote:
> Hey everyone,
>
> I've started working on a username and password NSE library.  This
> library will separately hand out usernames and/or passwords to
> scripts for use with brute forcing or whathaveyou.
>
> I'll probably have one set of functions return a closure to return the
> usernames or passwords one-at-a-time, and possibly another set of
> functions to return the whole username or password table.

Username specific passwords would be _really_ nice.

I'm thinking for root the password list would be a few hundred long.

For other users the list would probably be something like:

<username>
<Username>
<USERNAME>
<blank>
password
pass
changeme
Changeme
ChangeMe
guest
qwerty
asdf
abc123

> Unless some portability problem arises, the library will read
> usernames and passwords from lists/databases kept in the nselib
> directory (I was thinking maybe in a "data" subdirectory, and so
> other libraries' stuff can be stored out of the way).
>
> This library will also support script arguments to allow users to
> select their own username and/or password databases to read from.
>
> Now I need opinions on good username and password lists to ship and
> use by default.  There is an ordered password list shipped with John
> the Ripper which has 3107 entries.  The license[1] pretty much says
> we can distribute it if we give credit and also ship the license.
> Are there any ideas on a better list?

It has been my experience, both from UCSD being on constant
password guessing the victim side, and me being on the audit our
passwords side that more passwords is _not_ better.  If you don't guess
the password in the first hundred tries or so is is very unlikely that
continued guessing will help much.

Guessing passwords over the network is expensive and there is a
diminishing return.  The value of trying an additional password is
roughly inversely proportional to the number you have already tried.

We've found that a list of the 1000 most commonly guessed passwords
performs almost no better than 500 but takes twice as long.

> What about a good username list?

Besides the obvious root, webadmin, guest, admin, test, mysql, web,
oracle, student, staff, etc we should only use first names.

Nearly 100% of the SSH brute force compromises we fall to are just
first-name usernames like:

joe
bob
john
danielle
matt
david
mark
you get the idea

> Any other comments are appreciated.

I think the best way to gather the root list is to collect real-world
honeypot data.  I have data I can provide and I'm sure hundreds of
others on this list also have data.  We should probably cat * | sort |
uniq -c | sort -nr | head 500 to make our list.

> Thanks,
> Kris Katterjohn
>
> [1] http://www.openwall.com/wordlists/LICENSE.shtml

Overall I think this is a very good idea, Kris.  I look forward to the
result.

Brandon


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkhYLEIACgkQqaGPzAsl94IRAQCffvExTyyKNukHhjy+HqSbH1U+
C0cAn2CSWNtRxhCtgvGOhblxDDSrDOpy
=15SY
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org