Re: [RFC] NSE script - HTTP authentication

["Eddie Bell" <ejlbell () gmail com>]

Hi thomas

On 25/05/07, Thomas Buchanan <tbuchanan () thecompassgrp net> wrote:
> 3.  What is the general opinion of writing scripts that attempt to log
> in with known username/password combinations?  I suspect that in certain
> cases, this type of activity could be construed as illegal if permission
> has not been obtained from the owner / operator of the targeted systems.

I think this will be ok as intrusive scripts by their very definition
are intrusive :)

I tested the script and it seems to work well. The only thing I
noticed was in the xml output only the first line is logged. I do not
think this has anything to do with your script. I think it may be a
problem with the nse logging code.

In plain text I get this:

HTTP Auth: HTTP Service requires authentication
Auth type: Basic, realm = DSL-524T
HTTP server may accept user="admin" with password="admin" for Basic
authentication

but the xml gives me this

<script id="HTTP Auth" output="HTTP Service requires authentication" />

With my finger script I don't get any output and the tags seem a
little messed up

" /></port>t protocol="tcp" portid="79">
<state state="open" reason="syn-ack" reason_ttl="64"/>
<service name="finger" method="table" conf="3" />
<script id="Finger Results" output="
</ports>

I'm going to take a look at this tomorrow.

thanks
 - eddie

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org