Nmap Development mailing list archives
Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute
From: Kris Katterjohn <katterjohn () gmail com>
Date: Wed, 25 Jun 2008 12:35:53 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thomas Buchanan wrote:
From: Kris Katterjohn [mailto:katterjohn () gmail com] I've attached a patch against your HTTPAuth that fixes the warning: SCRIPT ENGINE: ./scripts/HTTPAuth.nse:48: bad argument #1 to 'len' (string expected, got nil) If a server didn't send a 401 message, string.len() was called on nil. I just made it return if it wasn't a 401, instead of having all of the "real" code inside a conditional block.The patch looks good. Thanks.
No problem.
I've also attached a patch to fix some false positives in HTTPbrute. I ran it several times, and one time it gave me 7 false positives. Now that I've fixed that, I'm having the problem of getting my valid username/password pair to succeed: all of the requests are getting 401 responses back. Maybe this is a problem with the base64 library? Or maybe I've done something wrong and will feel stupid after sending this email :)I applied your patch for HTTPbrute here, and all of my valid user/pass combinations are still working. Not exactly sure what might be the issue, but three possibilities come to mind: 1. Any chance you may have locked out the user account, so that it's returning Unauthorized no matter what?
*sigh* That's indeed what it looks like today. I was logging in through Firefox while testing to avoid this, but I must've just missed it. Sorry! I set up a lighttpd server with basic authorization, and your HTTPbrute script works fine against it with some slightly-larger 25-entry username and password lists.
You can verify that the base64 library is working correctly by using an online encoders, such as this one: http://www.motobit.com/util/base64-decoder-encoder.asp
Yes, your base64 library does indeed seem to work fine.
Let me know if there's anything else I can do to help. Thanks, Thomas
Thanks!, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSGKB9v9K37xXYl36AQK+pw//T3kYX74He3JJzr29UsYmJMb70hXN45R2 mInmv097mvCSiHMTivHcwQOzuz/gtp1gw9NMvMWFifZtMTWSXp9aA+TUgWGGhyh2 cvCMlGtOa7QDptRgqB3HwddQKbyraNTuJ8qRnp1DSUWfk8QDO8FxL7bLp3gbSfBW jl4JawnRdn0Za/7k6wRS76ZufIpFphneUsdne6jUmQ7RRVjds/1cUfHxT5xpp/e7 +fQkFobG88W28u1IrZqjMed8+brUIvcFohLnD1hnZ/CTpApFa575ofH0o5fnldbL D55a8jnC+5JPPD6cmhK2qXfySllh5a8Bto+jc3gJIwbwf+8VWmSF1jh5XfGrWuPK cLu/a3aUZ8BjGmqylM3pwSO1xEjQgpNMK1cC5eC0okdRghO5P3BBvIm3WIdsehhi CMLzvWtM2aNgYXhrpXBKUya2n3VPF3uts/NuPO+WGFoSTu0iHGTxb0Dl/EXLFcpR smR8Yi/D+C4aUeqHb8MBzVNPFJUWzGFuyLVoV/RVbvUqHk3EAk5lV+QAKfs35+a4 GFuReESacdJZRwIfDJckDc+FSUhwvWzRk0CEAqnDdA0QswE2alRlX0zN0/ZmqbME FNq6yZcM/2nKBNf46SpGiGj6u5tBYVulPNel1v+VuavvwfdU0B83phk6lxJs8ghx 41fFG5W0ic0= =k1hg -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [RFC] Changes to HTTPAuth, addition of HTTPbrute Thomas Buchanan (Jun 24)
- Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute Kris Katterjohn (Jun 24)
- RE: [RFC] Changes to HTTPAuth, addition of HTTPbrute Thomas Buchanan (Jun 25)
- Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute Kris Katterjohn (Jun 25)
- RE: [RFC] Changes to HTTPAuth, addition of HTTPbrute Thomas Buchanan (Jun 25)
- Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute Kris Katterjohn (Jun 24)