Re: [NSE] Revision of telnet-brute

[Aleksandar Nikolic <nikolic.alek () gmail com>]

I'd say these are good improvements!

Just one question, any reason why you didn't use the brute library?
Can't remember if there was any discussion about this before (and
searching archives fails me)
and if there was a concrete reason it wasn't implemented using brute lib.
I know that the script is older than brute library but as I was tasked
with converting bruteforce
scripts to use brute library last summer I wonder how/why I missed this
one...

,
Aleksandar

On 4/18/2013 8:40 PM, nnposter () users sourceforge net wrote:
> In the past I did not have a lot of success with telnet-brute.nse so
> I have tried to rewrite it while preserving the outer appearance.
>
>
> Changes:
>
> - Replaced hard-coded line termination \r\0 with a configurable
>   parameter (telnet-brute.eol) and set the default value to \r to avoid
>   falsely failed logins on some daemons. The parameter supports use of
>   C-like escape sequences, such as \r, \x0d, and \0015.
>
> - Changed response to the telnet server ECHO "will" / "will not" from
>   outright "do not" to an agreement with whatever the server proposes
>   to make the script work with some daemons.
>
> - Removed use of receive_lines(), which was causing either time-outs or
>   unnecessary connection tear-downs due to waiting on a line
>   termination. This change improved the script success rate and/or
>   performance (5x in some cases).
>
> - Exposed the connection time-out value as a configurable parameter
>   (telnet-brute.timeout). It defaults to 5000ms.
>
> - Improved handling of connection errors, which were occassionally
>   causing credential combinations to be skipped.
>
> - Updated the logged-in status detection logic to make the script work
>   with some daemons.
>
> - Avoided overlapping connections to make the script work with daemons
>   that allow only one connection at a time.
>
> - Replaced a locally defined routine with stdnse.string_or_blank() for
>   printing out credentials. Changed printing of tested credentials in
>   the debug output to be consistent with script results.
>
> - Script will now report if it senses password-only authentication.
>
> - Implemented detailed debug messages (e.g. "Sending password") at
>   debug level 3 (configurable).
>
> - Expanded the script documentation.
>
>
> Tested on:
>
> - Cisco IOS
> - Linux telnetd
> - Digital Sprite 2
> - Nortel Contivity
> - Hummingbird telnetd
>
>
> Questions:
>
> - Does anybody see a value in moving the string unescaping function to
>   nselib? Or is a similar function already available and I just did not
>   notice? (I do not count URL encoding.)
>
> - Is there an understanding how expensive PCRE is over Lua? The reason
>   I am asking is that the session analysis could be slightly more
>   accurate if it switched to PCRE.
>
> - Is there an established pattern for scripts to take into account -T
>   values?
>
>
> I would very much appreciate if the community tested the script against
> additional target types. If you find the script does not work in your
> particular environment then please send me the full nmap output with
> debug level 3 (-ddd). Feel free to edit the output to replace the
> individual password characters but please do not alter the output
> otherwise.
>
> Any constructive feedback is very welcome.
>
>
> Cheers,
> nnposter
>
>
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/