Re: brute.lua, unpwdb.lua, custom iterators and flexibility

[Aleksandar Nikolic <nikolic.alek () gmail com>]

Hi all,

I've just merged my changes to brute and unpwdb libraries into trunk.

To present what these changes are, here are some common usecases:

1) Lets say you want to just add one username to be tested along with
default ones:
        local usersIterator =
unpwdb.concat_iterators(brute.usernames_iterator(),unpwdb.table_iterator({"username1","aca"}))
        engine.setUsernameIterator(engine,usersIterator)

Here unpwdb.table_iterator({"username1","aca"}) first constructs a new
table iterator (previously known as closure).
brute.usernames_iterator() is the currently set usernames iterator
(since we haven't set any yet, it's the default one , the one from
unpwdb that is ).
Those two are concatenated by unpwdb.concat_iterators which does what
you'd expect, returns a new iterator that iterates over each of it's
constituent iterators.

Of course the order of concat_iterator arguments matters, so that way
you can control which one gets iterated first.
In this case, it would be first all the usernames from unpwdb and then
"username1" and "aca"...
If you do reverse the order of args, it does what you'd expect, first
"username1" and "aca" and then the default ones.


All that's left is to set the username iterator for the engine with
        engine.setUsernameIterator(engine,usersIterator) .

Now , if you don't change anything else in the script , it will use
the default password iterator (the one from unpwdb) with passwords
being the outer loop.
Which means it would test each username first against first password,
then second and so on...
Of course, you can construct and iterator with usernames being the
outher loop by using brute.Iterators.user_pw_iterator.

2) Lets say that the results returned by the iterator need to satisfy
some condition. For example , passwords less then 6 chars in length.
For that purpose, there is a filter_iterator function in unpwdb which
you'd use something like this:
        local passIterator =
unpwdb.filter_iterator(brute.passwords_iterator(),function (x) return
#x <= 6 end)
        engine.setPasswordIterator(engine,passIterator)
This would return a new iterator that gets the value from it's
iterator and then checks it against a function passed as a second
argument, if the function returns true, the value is returned
which means that filter has passed.

Let's see something more complicated.

3) You wan't to use credentials file to brute, instead of relying on
existing username/password databases.
What you'd need to do is get the credentials file and pass it to
brute.Iterators.credential_iterator as usual.
But instead of calling addIterator (which has been removed) , you'd
just set it as an iterator by doing:
                engine.iterator = brute.Iterators.credential_iterator(f)



concat_iterators works even for iterators that return multiple results
, such as "combined" username-password iterators.
So, if you'd want to go over a credsfile iterator, and then proceed to
try default combinations from unpwdb, you'd do something like:
                local credsIterator = brute.Iterators.credential_iterator(f)
                engine.iterator = unpwdb.concat_iterators(credsIterator,
brute.Iterators.pw_user_iterator(brute.usernames_iterator(),brute.passwords_iterator()))

Which effectively constructs two iterators (the creds file one and the
default one), concatenates them and then sets the new, concatenated,
iterator as the engine's iterator.

Hope this all makes sense, and that you like the changes.
As always, comments and ideas are welcomed.

Aleksandar



On Sat, Jul 7, 2012 at 10:29 PM, Patrik Karlsson <patrik () cqure net> wrote:
> On Sat, Jul 7, 2012 at 9:57 PM, Aleksandar Nikolic <nikolic.alek () gmail com>
> wrote:
> > Yes, you are right, I've missed the part where it resets the counter.
> > Some weird service behavior led me to wrong conclusion.
> > I'll look into it some more.
> > Sorry
>
> No problem. The code could be a lot clearer, I had to spend some time to
> understand what I've actually written ;)
>
> //Patrik
> --
> Patrik Karlsson
> http://www.cqure.net
> http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/