Nmap Development mailing list archives
Re: Detecting/parsing a hex string
From: David Fifield <david () bamsoftware com>
Date: Wed, 8 Oct 2008 15:44:44 -0600
On Wed, Oct 08, 2008 at 10:37:27AM -0500, Ron wrote:
Thanks to all of you, I managed to put together your suggestions and get
something that works!
One thing I noticed in Lua is that I couldn't specify a count, like
"(%x%x){32}" for 32 hex characters, so I just used a string.rep(). Let
me know if there's a better way!
That's the way recommended in the Lua book. http://www.lua.org/pil/20.4.html
So, there are three conditions for me, a user can give a single 16-byte
hex string, two 16-byte hex strings (together), or two 16-byte hex
strings (with a separator). I covered all these cases using elseif's
if(string.find(password, "^" .. string.rep("%x%x", 16) .. "$")) then
lm_hash = bin.pack("H", password:sub(1, 32))
ntlm_hash = bin.pack("H", password:sub(1, 32))
elseif(string.find(password, "^" .. string.rep("%x%x", 32) .. "$")) then
lm_hash = bin.pack("H", password:sub(1, 32))
ntlm_hash = bin.pack("H", password:sub(33, 64))
elseif(string.find(password, "^" .. string.rep("%x%x", 16) .. "." ..
string.rep("%x%x", 16) .. "$")) then
lm_hash = bin.pack("H", password:sub(1, 32))
ntlm_hash = bin.pack("H", password:sub(34, 65))
else
status, lm_hash = smbcrypto.lm_create_hash(password)
status, ntlm_hash = smbcrypto.ntlm_create_hash(password)
end
This code looks like it accepts either hex-encoded passwords or plain unencoded passwords. What if a password is 16 hex digits? The first if will wrongly intercept it and decode it. Keep in mind, I don't know what this password is for, so I don't know when an encoded or unencoded password would be preferred. A better interface would be to have two functions, one accepting encoded passwords and one accepting unencoded passwords. Or else provide just one of those functions, and have another auxiliary function that either encodes or decodes a password to put it in the correct form. In the external user interface code (reading script args), it's good to read passwords in any common form. You may have to use separate script args for encoded and unencoded forms to avoid ambiguity. In the internal interface you have the luxury of enforcing one canonical form. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Detecting/parsing a hex string Ron (Oct 08)
- Re: Detecting/parsing a hex string Brandon Enright (Oct 08)
- Re: Detecting/parsing a hex string Brandon Enright (Oct 08)
- Re: Detecting/parsing a hex string Patrick Donnelly (Oct 08)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)
- Re: Detecting/parsing a hex string Patrick Donnelly (Oct 08)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)
- Re: Detecting/parsing a hex string Brandon Enright (Oct 08)
- Re: Detecting/parsing a hex string Ron (Oct 08)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)
- Re: Detecting/parsing a hex string Ron (Oct 08)
- Re: Detecting/parsing a hex string Brandon Enright (Oct 08)
- Re: Detecting/parsing a hex string Ron (Oct 08)
- Re: Detecting/parsing a hex string Fyodor (Oct 23)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)