Nmap Development mailing list archives
Re: Detecting/parsing a hex string
From: Ron <ron () skullsecurity net>
Date: Wed, 08 Oct 2008 17:40:00 -0500
David Fifield wrote:
On Wed, Oct 08, 2008 at 10:37:27AM -0500, Ron wrote: This code looks like it accepts either hex-encoded passwords or plain unencoded passwords. What if a password is 16 hex digits? The first if will wrongly intercept it and decode it. Keep in mind, I don't know what this password is for, so I don't know when an encoded or unencoded password would be preferred. A better interface would be to have two functions, one accepting encoded passwords and one accepting unencoded passwords. Or else provide just one of those functions, and have another auxiliary function that either encodes or decodes a password to put it in the correct form. In the external user interface code (reading script args), it's good to read passwords in any common form. You may have to use separate script args for encoded and unencoded forms to avoid ambiguity. In the internal interface you have the luxury of enforcing one canonical form. David Fifield
It's basically Windows login passwords. You're right, it's *possible* that somebody could have a 16-hex-character password, but I generally consider it unlikely enough that I just assume 16 hex characters is a password hash. Metasploit and others do the same thing. I could change the parameter name, so you can do "--script-args smbusername=ron,smbpasswordhash=b709...", but that's a little uglier. Both ways are easy enough to do, so I'm open to suggestions/arguments. Right now it auto-detects, but it's like a 1-line change in one place to make them separate arguments. Ron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Detecting/parsing a hex string Ron (Oct 08)
- Re: Detecting/parsing a hex string Brandon Enright (Oct 08)
- Re: Detecting/parsing a hex string Brandon Enright (Oct 08)
- Re: Detecting/parsing a hex string Patrick Donnelly (Oct 08)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)
- Re: Detecting/parsing a hex string Patrick Donnelly (Oct 08)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)
- Re: Detecting/parsing a hex string Brandon Enright (Oct 08)
- Re: Detecting/parsing a hex string Ron (Oct 08)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)
- Re: Detecting/parsing a hex string Ron (Oct 08)
- Re: Detecting/parsing a hex string Brandon Enright (Oct 08)
- Re: Detecting/parsing a hex string Ron (Oct 08)
- Re: Detecting/parsing a hex string Fyodor (Oct 23)
- Re: Detecting/parsing a hex string David Fifield (Oct 08)