Nmap Development mailing list archives
smb-brute: Case sensitive passwords
From: Ron <ron () skullsecurity net>
Date: Sat, 07 Feb 2009 12:50:34 -0600
Hey,
I just comitted a change to how passwords are checked in the
smb-brute.nse script (in my experimental branch). I now start with using
Lanman, which is case insensitive. Then I bruteforce the case, starting
with one uppercase character, then two, etc. I also put the
all-uppercase version second, since I'm going to guess it's more common.
So for "test", it'd do this:
test
TEST
Test
tEst
teSt
tesT
TEst
TeSt
TesT
tESt
tEsT
teST
TESt
TEsT
TeST
tEST
My thought is that most people will probably use lowercase, uppercase,
or camelcase for their passwords. So, the password "mypassword" will
likely be "mypassword", "MYPASSWORD", "Mypassword", "myPassword" or
"MyPassword". By checking lowercase, uppercase, all combinations of 1,
2, and 3 uppercase first, it'll find most occurrences of that.
The delay for bruteforcing the case on 8-character passwords is hardly
noticeable. The delay for the longest password on Nmap's list
("butterfly1") in the worst case takes under a second but is somewhat
noticeable. The absolute worst case ("aAAAAAAAAAAAAA") takes about 12
seconds (passwords >14 characters can't be checked with Lanman -- more
on that below).
Keep in mind that these counts are on my LAN, so over the Internet it's
going to be significantly slower. But, since 8-character passwords are a
pretty common boundary, I don't think it's going to matter much.
Passwords >8 chars probably won't be cracked with a bruteforce anyways.
One option, if this becomes an issue, is to timebox it, make sure that
no crack takes longer than, say, 10 seconds. At 10 seconds (or
whatever), give up and move onto the next account. I dislike that idea,
though.
The only real issue is that this script won't find passwords if a server
is set to NTLM-only, or if somebody uses a password greater than 14
characters. But I don't think either of those is common enough to
matter. This also means this script doesn't honour the smbtype
parameter, because it forces itself to use Lanman for the case
insensitivity. Again, though, I'm not sure how much that matters, if at
all.
Ron
--
Ron Bowes
http://www.skullsecurity.org/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Current thread:
- smb-brute: Case sensitive passwords Ron (Feb 07)
- Re: smb-brute: Case sensitive passwords Fyodor (Feb 07)
- Re: smb-brute: Case sensitive passwords Ron (Feb 07)
- Re: smb-brute: Case sensitive passwords Fyodor (Feb 07)