Re: Detecting/parsing a hex string

[Ron <ron () skullsecurity net>]

David Fifield wrote:
> On Wed, Oct 08, 2008 at 10:37:27AM -0500, Ron wrote:
>
> This code looks like it accepts either hex-encoded passwords or plain
> unencoded passwords. What if a password is 16 hex digits? The first if
> will wrongly intercept it and decode it.
>
> Keep in mind, I don't know what this password is for, so I don't know
> when an encoded or unencoded password would be preferred. A better
> interface would be to have two functions, one accepting encoded
> passwords and one accepting unencoded passwords. Or else provide just
> one of those functions, and have another auxiliary function that either
> encodes or decodes a password to put it in the correct form.
>
> In the external user interface code (reading script args), it's good to
> read passwords in any common form. You may have to use separate script
> args for encoded and unencoded forms to avoid ambiguity. In the internal
> interface you have the luxury of enforcing one canonical form.
>
> David Fifield

It's basically Windows login passwords. You're right, it's *possible*
that somebody could have a 16-hex-character password, but I generally
consider it unlikely enough that I just assume 16 hex characters is a
password hash. Metasploit and others do the same thing.

I could change the parameter name, so you can do "--script-args
smbusername=ron,smbpasswordhash=b709...", but that's a little uglier.

Both ways are easy enough to do, so I'm open to suggestions/arguments.
Right now it auto-detects, but it's like a 1-line change in one place to
make them separate arguments.

Ron


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org