Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Replacing usernames.lst?

From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 6 Mar 2010 20:44:21 +0100

On 6 mar 2010, at 16.36, Ron wrote:


Since we're discussing passwords.lst, I thought I'd bring up usernames.lst. In my opinion, its current version isn't 
especially useful -- unfortunately, though, it's really hard to generate a proper username list in advance.

The best way to get a list is to think of protocols that could generate a list for us and make them dependencies. For 
example, smb-enum-users asks the server for a list of usernames, and receives it. When we have a http-spider.nse 
someday, we can parse potential usernames out of its results (I've had great luck with scraping sites for email 
addresses and generating user lists from them). 

Off the top of my head I can't think of any other protocols that will give up a list of users as easily at SMB. 
Perhaps SNMP has something? Can anybody think of others?

In SNMP you have snmp-win32-users.nse. 

There are also protocols and implementations that won't allow you to list all accounts at once but do allow you to 
determine if an account is valid or not.
Some cases even allow you to do this without the "cost" of an invalid login attempt eg. Kerberos [1]. 
Maybe some sort of collector script with a larger usernames.lst could be run against such services?



Once we do, we should look at standardizing where in the registry we store usernames, and ensure that unpwdb uses 
that location, if it's populated, instead of (or in addition to) the real list.

This is one place where Nmap can seriously excel compared to other brute-forcing tools -- not many tools understand 
protocols enough to go through the whole sequence:
1. Discover open ports
2. Probe open ports to get potential usernames
3. Bruteforce to get passwords
4. Use those passwords to get deeper information about the system

But NSE can! 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



[1] http://www.cqure.net/wp/krbguess/

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: