[RFC] Changes to HTTPAuth, addition of HTTPbrute

["Thomas Buchanan" <TBuchanan () thecompassgrp net>]

Hello,

I've been inspired by Kris's nifty username/password library to create
an actual HTTP brute forcing script.  In doing so, I decided to remove
the password guessing from HTTPAuth.nse, and create a new script for
these capabilities.  I think HTTPAuth is still useful, as the
Authentication realm can often tell you something about a web server
that you can't get otherwise.  Also, by removing the password guessing,
I think it can be moved into the "safe" category.

The HTTP brute force script implements Basic authentication username and
password guessing (for more info, see RFC2617) against servers where the
root URL requires authentication.  It requires the latest version of
Kris's unpwdb library [1], as well as the base64.lua library attached to
this email, which implements a base64 encoding function.

Philip Pickering mentioned [2] that he was working on some Base64
utilities.  Hopefully I haven't duplicated too much of his effort.  My
library doesn't do any decoding to this point, so if somebody wants to
add that, I'm sure it would be appreciated.  Also, my encoding algorithm
probably won't win any beauty contests, but as far as I can tell it
works correctly.

Please review and test the changes to HTTPAuth, and play around with the
new HTTPbrute.nse.  If you have any issues, if it misses any logins, or
especially if you get any false positives, please let me know.  I'll
leave it up to you to provide your own username / password lists.

I've attached the new and modified scripts here, if a patch to
HTTPAuth.nse is preferred, let me know, I'll be happy to provide it.
Also, I've omitted HTTPbrute from the default NSE category.  If there's
strong consensus to include it, feel free.

Lastly, here's some example output from HTTPbrute.nse:

Interesting ports on 192.168.1.100:
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.2.8 ((Win32) mod_ssl/2.2.8
OpenSSL/0.9.8g PHP/5.2.5)
|  HTTP Brute:  HTTP server may accept user="root" and
password="password" for Basic authentication
|   HTTP server may accept user and password = "admin" for Basic
authentication
|_  HTTP server may accept user="test" with blank password for Basic
authentication

Thanks,

Thomas

[1] http://seclists.org/nmap-dev/2008/q2/0847.html
[2] http://seclists.org/nmap-dev/2008/q2/0777.html

ps.  Adding Digest authentication brute forcing is on my todo list, but
that will require some support for crypto digests.  I've started down
that path, but it will require a little more effort to get finished.

Attachment: HTTPAuth.nse
Description: HTTPAuth.nse

Attachment: HTTPbrute.nse
Description: HTTPbrute.nse

Attachment: base64.lua
Description: base64.lua

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org