Re: [RFC] Username/Password NSE library

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Sellers wrote:
> Kris Katterjohn wrote:
> > Now I need opinions on good username and password lists to ship and use by
> > default.  There is an ordered password list shipped with John the Ripper which
> > has 3107 entries.  The license[1] pretty much says we can distribute it if we
> > give credit and also ship the license.  Are there any ideas on a better list?
> >
> > What about a good username list?
>
> I suggest checking some of the Internet lists of default username/password
> pairs.  It is ridiculous how often I come across equipment that has been
> install and left in its default state.

What type of API and functionality would you guys like from this library?
When Fyodor and I first discussed this, it seemed pretty simple: you can grab
usernames or passwords one-at-a-time.  But now you guys are thinking of good,
but different, ideas on how this library would work.

I think pairs like this would be nice, but it doesn't fit into the current
design; but is certainly OK by me.

Here are some ideas (not mutually exclusive of course):

1) The ability to grab a username or password at a time

2) The ability to grab the full table of usernames or passwords, or a table of
a certain size

3) Maybe the ability to grab just "administrator" usernames

4) The ability to grab common default username/password pairs for networking
devices

> It may also make sense to order this list such that more common software/devices
> occur first.  If you like I can gather some of this information and condense
> it down.

It'd be great if you could do that.  It's better to have too many than miss out.

> If you think these usernames and passwords would not be appropriate for your
> application I may roll them into generic scripts based on protocol, such as
> ftp, http, ssh, etc.
>
> Thanks,
> Tom

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSFh9D/9K37xXYl36AQKwsxAAj+uyPItqK0uqj31H/q7mEC31CHxHWmMC
KI3MSa9q1gCXYrbuEkEbANWc2QXSt10gGpl951ksTn7YjGno0/LQSanTYnMCkyJE
Rg7EHNraH5F6zohFDZCzK1PiVrvrdfkEoCfIYNRWG/LQBrPas91MIFvv/udZHkkH
VShJcGI03aXyHbz5oM9/6ub2SrbX7B7QS6XvXX65GC1QyGbGhP9sfd9ICzNy+yp+
0wz7+5il40Ji1f7xnUzM7ns6dI7RjJcv9HnfQ7sUIm3cV7ZTDNj3gbDfna755Eh1
oHgBrolVqLDVjjqkBpK8aF+TVlm9pQF6HBTgSPvkcaqDoTkC3SP8Ikhb1dwUzbvp
MkHfQrz1B+y7WpJSfoQUJkJ6n897SRr/mFtk1PADLE3KU2DQTASH3cnhHy/hFG3z
fjaurfo3fqJtBy8y1IIv1qYK1HW+FrbFwQkkiHFHazleotanNcCs/+8AZbN0RDPZ
JV3RX4U/Yg+S8bQanJfDV6xx7ckDn9TFdHpBS1XoN53QHlYaQ2E00sseCKtA0XYP
A2r7SqrQs417R/KtrvbO2kmZBMuEZz62vunq2n/cBF+TNBZ+ons+eF+BqUUqrWIr
Dx0I6vCcigdPlNeR5XyCxNcgU3eYiBT0fp2RhVFNpkCgKb1JCYL0gCR3VSTUHKzb
2X5h5Y3LHJ4=
=PM6N
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org