Nmap Development mailing list archives
Re: ftp-brute.nse overhaul
From: Fyodor <fyodor () insecure org>
Date: Fri, 18 Sep 2009 19:36:07 -0700
On Fri, Sep 18, 2009 at 02:54:34PM -0500, Ron wrote:
Hi all, I was investigating a way to improve the ftp scripts today, when I noticed that ftp-brute.nse was only checking one account. So, as I love doing, I took it apart and put it back together. Now it uses the unpwdb database.
Thanks Ron!
I ran into an issue that I was hoping somebody could test on other servers and give opinions on: vsftp responds *very* slowly (about 1 second/request), so to run through all 2000 combinations of usernames/passwords would take hours. For that reason, for now, I artificially limited the checks to the first 10 usernames + passwords (with a script-arg to increase that).
Authentication cracking in general can take a long time to finish. I doubt I'm the only one here who has had crackers running for months on end. I don't think 2,000 combinations is an unreasonable number by default. Limiting it to trying just 10 users x 10 passwords makes the script go fast, but only because it isn't doing much. I also worry that it could give a false sense of security to people who assume that it is doing a more thorough check. I am glad you added the limits, but I think 10x10 is too small. Now if we can speed up the cracking process itself (rather than just reducing the number of credentials tried), that would be delightful. We will probably start sharing the Ncrack user/pass DB (or at least a subset of it) with Nmap soon.
* Is this the case on servers besides vsftp as well? If other servers are faster, I'll add some code to detect the behaviour and change the limits
One idea is to base the limits on time directly (e.g. crack by default for 1 hour or until the usernames/passwords run out).
* Is this an acceptable solution? Or does somebody have a better way of doing it?
I agree that we need some default limits, whether they be based on elapsed time, number of credentials tried, or both.
* Should this type of function be built right into unpwdb, or done on a per-script basis? I'd like to revamp unpwdb at some point
I think building this into unpwdb would be ideal. That allows for arguments to be shared between our "auth" scripts, and avoids duplicating the time/credential limitation code. If possible, it would be nice if users could also specify per-script arguments in case they want to set different limits for different scripts.
* Would this be a case to experiment with multi-threaded scripts? Does that capability exist yet? (I haven't looked into Lua threading)
We talked about this idea during SoC and Patrick had some implementation ideas. The main goal was indeed to make the "auth" scripts faster. Patrick, can you tell us more about where we stand in this respect? I tend to recall that we weren't too far from being able to do this. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- ftp-brute.nse overhaul Ron (Sep 18)
- Re: ftp-brute.nse overhaul Fyodor (Sep 18)
- Re: ftp-brute.nse overhaul Patrick Donnelly (Sep 18)
- Re: ftp-brute.nse overhaul Ron (Sep 18)
- Re: ftp-brute.nse overhaul Fyodor (Sep 18)
- Re: ftp-brute.nse overhaul Ron (Sep 18)
- Re: ftp-brute.nse overhaul Patrick Donnelly (Sep 18)
- Re: ftp-brute.nse overhaul Fyodor (Sep 18)
- Re: ftp-brute.nse overhaul Ron (Sep 18)