Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Replacing usernames.lst?

From: Ron <ron () skullsecurity net>
Date: Mon, 22 Mar 2010 15:35:34 -0500
On Mon, 22 Mar 2010 13:19:09 -0600 David Fifield

We've been talking about having (at least) two lists. One would
contain only likely default names like "admin", "root", "guest",
"web". The other would have names people are likely to choose for
themselves, like email addresses or user IDs. Some scripts that runs
against systems like databases and routers expect them to have only a
few, root-like users, and would use the first list. A script like
http-userdir-enum that's looking for user home directories would use
the second list.

David Fifield


That sounds reasonable. I expect that the second list would be significantly longer and used for enumeration rather 
than bruteforcing. Of course, any accounts that are validated by enumeration would be included in the bruteforce 
scripts. For example, if http-userdir-enum was successful for any given account, that account should be added to the 
list for all *brute* scripts for the rest of the scan. 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: