Nmap Development mailing list archives
Re: Authentication in SMB/MSRPC
From: Ron <ron () skullsecurity net>
Date: Tue, 07 Oct 2008 09:29:26 -0500
Fyodor wrote:
On Tue, Oct 07, 2008 at 05:36:25AM -0500, Ron wrote:
>
I agree. Though we do need to be careful not to exceed the intrusiveness level desired by the user. So it can be a tough balance to strike. Serious brute force scripts are generally not going to be default anyway. So if someone specifies those (along with other scripts), they may very well be doing so in order that found credentials can be used in the scan. If there is a lockout, it will generally happen during the brute force session, not in subsequent logins. So if we don't let scripts used discovered (by whatever mechanism) authentication credentials by default, we should at least provide an option to do so IMHO. If Nessus determines authentication credentials, does it automatically use them? Cheers, -F
I don't believe Nessus will dig like that. But I know that some applications will attempt to find holes and use those holes to scan more deeply (Core Impact comes to mind, among others).
I don't think Nessus will even attempt bruteforce attacks, though, although I could be wrong. Most Nessus scripts will detect a vulnerability, but won't use it to obtain more information.
At the same time, I don't think anybody wants to turn Nmap into an exploitation tool, so we sort of have to draw the line somewhere. I was thinking of adding bruteforce because other Nmap scripts do the same. Which just made me think -- if one of the other bruteforce scripts is successful (telnet, pop3, snmp, etc), should it store the credentials in the registry? It seems like you can line up scripts pretty nicely like that, "if script A or B finds SNMP credentials, then script C will use those credentials to walk the SNMP tree and display the information."
Of course, that's getting pretty intrusive, which is probably the core issue here -- how intrusive is "too intrusive"?
Ron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Authentication in SMB/MSRPC Ron (Oct 06)
- Re: Authentication in SMB/MSRPC David Fifield (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC Fyodor (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC Fyodor (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC David Fifield (Oct 07)