Nmap Development mailing list archives
Re: [RFC] Username/Password NSE library
From: Kris Katterjohn <katterjohn () gmail com>
Date: Thu, 19 Jun 2008 22:32:19 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fyodor wrote:
On Thu, Jun 19, 2008 at 04:54:57PM -0500, Kris Katterjohn wrote:So what are your thoughts on how long the default lists should be? The general consensus seems to be fairly small (a few hundred).I think it is fine for the library to have reasonably long lists (such as thousands or maybe even tens of thousands of passwords). As long as they are ordered by frequency, the scripts themselves can decide how many to take. Different authentication methods take very different lengths of time to test each user/password combination, so I don't think there will be a one-size fits all rule like "scripts will try the first 300". We might even want the scripts to just keep trying passwords until a certain amount of clock time has passed, rather than based on number of passwords.
OK, guys, poll time: should we use the stock, ordered password file from John the Ripper with ~3100 entries, a different password file obtained from elsewhere, or generate our own list (e.g. from honeypot data per Brandon's suggestion)? I don't see how to use two separate lists from different sources together. The ordered list that comes with a password cracker listed #10 overall on SecTools lends credence to one of these options :) However, the list with John isn't huge (e.g. tens of thousands of entries) and can't expanded on-the-fly. But if 3107 sounds like a good number of entries, then it makes for a really good candidate. Of course, if we decide on the list from John, or wherever, we can always create our own list later if we decide we want more entries or whathaveyou.
Cheers, -F
Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSFskwf9K37xXYl36AQLrRA/+L2W5vF1sqgN4j9LHOiGdkuiBmQCRtvMs GSjN2fbIRyhGw8KV4iC+GnR4ngjhUpOpHYVTIBx0ExVAaRp5myuz/73AyGTJoZ/h QZo4OZr/PGFF+iLXuuMbXsW4e6Yj4zMOkqnoHeLzD2VuGIVThbaNjGM+6WlrMePK yxZMfplBTpOiXM9cxtGGwNZnVQJBEZvuPydrNmmsIoa0cV55KmJSsMxVGB8ns4/l LOpctW/SI5Gbb5hG0Z4DMttf1xmlriUbzffbsE2UETdf31Jjo/+ROPJM6r1L4+n4 HAHTS5Hcc0wpP1IxE3SOxrNwTX2Y81zueoOtDjD1nCsi6ylb03DqBxaWAcB/uw1s XiHduo7RpPdEtOYDcvwZMIAgmoEFzkLZGVw+oc+AB4zpbMYvDvzQWMrDe5C+65GR ELLXRXAawYBr1TPe7RBs9MeJ5f9ktyTY0gLKOXLnrrfzBgUJ41sleZN5ISbZXeZg qMXAMTkjJycg3p1FpWDp5ndy9TsuLugLUNpIuJL/qI4TtKH7qOHIXFBz9XslUQjm H90Eg4cvyRbsI5+G8bMhmwbeKejrXkqsSla4djJLZ4LGfBVXFVPDjpkxrv49GZT6 EfV+6ZRu4+wSuZHUgXMJQyL7OUj4VA3PjzqlNeFCIren2Y8KfKBBT5A4wtTMF6wv 9GBJ6wVAJ6A= =9aAL -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [RFC] Username/Password NSE library Kris Katterjohn (Jun 17)
- Re: [RFC] Username/Password NSE library Brandon Enright (Jun 17)
- Re: [RFC] Username/Password NSE library Kris Katterjohn (Jun 17)
- Re: [RFC] Username/Password NSE library Andrew J. Bennieston (Jun 18)
- Re: [RFC] Username/Password NSE library Kris Katterjohn (Jun 17)
- Re: [RFC] Username/Password NSE library Tom Sellers (Jun 17)
- Re: [RFC] Username/Password NSE library Kris Katterjohn (Jun 17)
- Re: [RFC] Username/Password NSE library Fyodor (Jun 18)
- Re: [RFC] Username/Password NSE library Kris Katterjohn (Jun 18)
- Re: [RFC] Username/Password NSE library Kris Katterjohn (Jun 19)
- Re: [RFC] Username/Password NSE library Fyodor (Jun 19)
- Re: [RFC] Username/Password NSE library Kris Katterjohn (Jun 19)
- Re: [RFC] Username/Password NSE library Kris Katterjohn (Jun 23)
- RE: [RFC] Username/Password NSE library Thomas Buchanan (Jun 24)
- Re: [RFC] Username/Password NSE library Kris Katterjohn (Jun 24)
- Re: [RFC] Username/Password NSE library Fyodor (Jun 24)
- Re: [RFC] Username/Password NSE library Kris Katterjohn (Jun 17)
- Re: [RFC] Username/Password NSE library Brandon Enright (Jun 17)
- Re: [RFC] Username/Password NSE library Philip Pickering (Jun 18)
- <Possible follow-ups>
- Re: [RFC] Username/Password NSE library Kris Katterjohn (Jun 24)
- RE: [RFC] Username/Password NSE library Thomas Buchanan (Jun 24)
- Re: [RFC] Username/Password NSE library Patrick Donnelly (Jun 24)
- Re: [RFC] Username/Password NSE library Kris Katterjohn (Jun 24)
- Re: [RFC] Username/Password NSE library Patrick Donnelly (Jun 25)