Re: [RFC] Username/Password NSE library

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Buchanan wrote:
> Kris,
>
> I've used your username/password library to refactor my HTTP Auth brute
> forcing library (results to come after a little more testing), and it
> seems to work very nicely.  One feature that would be nice, but

Great, thanks for testing.

> certainly not essential, is the ability to reset or rewind the lists.
> Consider the typical process for brute forcing:
>
> for each username
>   for each password
>     try login
>   end
> end
>
> The issue that I see is that for each new username, you have to create a
> new password closure.  While not difficult or particularly
> time-consuming, it would be nice just to create the closure only once
> (and perform error checking, etc.), then reset the existing list each
> iteration and have it start over fresh.
>
> Like I said, this feature isn't really necessary, but would be nice to
> have if it's not too difficult to implement.

This is IMO a good idea which I hadn't considered.  What about having the
closure reset back to the beginning when the list is exhausted?  It can return
nil to let the caller know the list is over, but if it still gets called again
it will just recycle through.  One thing about this, though, is that there is
no manual rewinding: you have to go through the whole list to start back
again.  But this should be fine for your specific brute-force method example,
unless it was simplistic and not showing the early breaking of the password
loop (i.e. not going through the whole list).

What do you think about this?

> Thanks,
>
> Thomas

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSGFLmv9K37xXYl36AQKAqA//XF5exvjjxcB3dzNptbcp2X7uAW9I8Oc+
ml5XgEC3RKay0+CpAincU7QHKx0FyiMLw3R+y5pMYnZFX3jXirTAQRCZrbAJIZiZ
6y8slye0SZDk+ZXlbcyUjNKpFAMSoYPmVhB92z9Z+4fUsCXyCSdHzXoI9d9Yf0Y4
BIK2XiVNzcVypAmovZhNfOnOW6XB1EbbI3VOcORszVtWGqK2kyFpwS54v6pMVDxu
2QX7hr+CgooocM+Om4g+wMkWxhNKFQKa3usInb/x8z0dwVcw3dBWIgaeYbz2v1N1
aenXQ6zTcz06gPVgoY0ZzPG1RZPHdN0JPlpDcRy7PS8QoHJf142vXKFdwc9vYcKh
tcDqv5KEEobLD0N4k19VKrXJ68wfQKgkFVEETPer9Hcho350sRTce+AxY4VyoM7m
y26t/M2fYqdkfMfAjyRC6H9c3oPdXnd0dpztY1AzzH5Xs8Sva84QvZtYjKOd3hNH
drgJxSeOZQnmsM++8VIYDijP2dTsEtQKluIWnoXDKdVQOdy2iKvNsRl3xUcEElXa
QrSRaGK27/PPoZ80+CS+Jks+1uydVgqXg+2kZnRdZIVIHRnrfRd3DM/ILx2Rhe2M
Nh/XO8Pa161luoWlSp/0UaQw3exm/VA7cXUzRhyz6CnOPF2B3l65yGO4rKi2Vk5Q
xcJ7LYcQmkg=
=BRjZ
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org