Nmap Development mailing list archives

Re: Ncrack: request for username/password lists

From: Ron <ron () skullsecurity net>
Date: Fri, 24 Jul 2009 08:33:42 -0500

Hey Ithilgore,

I've been collecting password lists for the last little while. I don'thave many, but you can probably find what you're looking for here:

http://www.skullsecurity.org/wiki/index.php/Passwords

I indicate where the lists come from, so if you're worried aboutlicensing issues you can followup there. I'm not really sure howlicensing works on a datafile like that, though.

On a sidenote: it'd be useful if NSE scripts can access this passwordfile -- right now, my smb-brute script uses the built-in file, but thatfile is pretty small.


On 07/24/2009 08:28 AM, ithilgore wrote:

Hello nmap-dev.
  As Ncrack is progressing, we have come the point that a collection of username
and password lists is due to take place. Obviously we want to include the best
lists we can find out there and ideally with a password-frequency sorting,
meaning that the most frequent passwords are coming first in the list.

Ncrack is going to be shipped with the following:

* 1 username and 1 password list which will be as generic as possible, covering
the most frequently used usernames and passwords in as many services as
possible. These 2 lists will be the default ones used by Ncrack when no explicit
list is specified by the user. This means that it is of utmost importance that
these lists have a golden ratio between length (not too many usernames and
passwords) and effectiveness (as many frequently-used usernames and passwords to
be included).

* service-specific lists. These lists will hold username and passwords that are
mostly seen in the particular service they are referring to. For example, there
will be a separate pair of lists for mail-related services (pop3, smtp, imap)
which will include credentials mostly seen in these situations.
The number of service-specific lists will vary according to how different the
credentials for each service are from other services. For example, is there
really a need to assemble a separate list for ftp and ssh services or are the
kind of credentials most frequently seen for each of these 2 services almost the
same?

There are already lists out there that are used by cracking tools, but which are
usually licensed, so we will need to ask for permission to use one of them or to
include some of the pairs of these lists into our own.

So, really appreciable will be:
* any directions to good lists (that we can use) out there
* any actual lists that you know are effective (but may have a license so we
   will first have to ask to use them)
* any information on patterns seen in either service-specific or generic
   username/password selection

Thanks,
ithilgore


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Ncrack: request for username/password lists ithilgore (Jul 24)
- Re: Ncrack: request for username/password lists Ron (Jul 24)
- <Possible follow-ups>
- Re: Ncrack: request for username/password lists ange . gutek (Jul 25)