Re: What would we want in a new Netcat/Hping?

[Chuck <chuck.lists () gmail com>]

> > - Support for requiring a password to connect to the NetCat2
> >   listener.
>
> I don't think a clear text password is acceptable, even for this sort
> of application.  I added a requirement that authentication and
> encryption of the channel be supported as an option.  Maybe this can
> be done securely and easily with OpenSSL.

I agree.  Cleartext passwords are unacceptable, but there are other
ways to implement  passwords and there are times when you want to
secure your netcat listener, but don't want to deal with SSL
certificates.  You could implement it as simple as:

- server sends random value to client
- client sends hash of random value + password
- server compares hashes

I just made that up, so there may be flaws in it (it is definitely
vulnerable to a MITM attack, but should be safe from sniffing).  There
are probably a bunch of established algorithms that we could choose
from, but something like this may be good enough because if you want
real security (from things like MITM) you will probably need to use
SSL mutual authentication (or something equally as complicated)
anyway.  You would also want to be able to use a password along with
one of the SSL dh_anon modes to protect the whole session from
sniffing.

Have a good one.

Chuck


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev