Nmap Development mailing list archives
Re: nmap http auth update
From: David Fifield <david () bamsoftware com>
Date: Mon, 8 Dec 2008 09:54:19 -0700
On Tue, Dec 02, 2008 at 11:53:53AM -0500, Vishal Nandwani wrote:
Attached in this e-mail is an NSE script titled http-dict.nse. It updates the http auth script to include md5 as well as a larger dictionary. We hope the community finds this useful and that the script is considered for code integration into the next version of nmap.
Thank you for your contribution. It is most welcome. I tried out your modified script and it worked for me. I'd like to see it included with Nmap. There are a few changes I'd like you to make before it is included. Your updated script is based on a slightly old version of http-auth.nse and it doesn't have some recent improvements from Vlatko Kosturjak. Can you make your changes again based on r10954 from 2008-11-07? Before adding any new user names and passwords to the script, I want to see measurements showing that they occur frequently, or at least documentation as to what devices use each authentication pair. It's easy to add new user names and passwords, but each one incurs a cost in run time and network traffic. Please leave the expanded dictionaries out of your updated submission. Where did the value for cnonce ("f5d6811482d3ab57d18f06dfe240f390") come from? If it's meant to be random then you could use openssl.rand_bytes or openssl.rand_pseudo_bytes. Don't be discouraged. We often ask for changes to patches before they are accepted. Thanks again for your improvements. I look forward to merging the next version of your script. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- nmap http auth update Vishal Nandwani (Dec 02)
- Re: nmap http auth update David Fifield (Dec 08)