Nmap Development mailing list archives
Re: Status Report #14 of 17
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Tue, 28 Jul 2009 03:59:11 +0300
Status Report #14 of 17 28 July, 2009 Hello nmap-dev! This week was focused on completing and debugging the http basic-auth module. During the process of testing, I made some fascinating discovery with the help of Ncrack's high speed cracking engine: bypassing Apache's 2.2 password protected areas. Apparently, this hasn't been found or disclosed anywhere yet so an advisory is likely to come up soon. I want to test more versions though and also try to find where in the code the relevant flaw is. The consequences of this bug is that all vulnerable Apache versions (which are yet to be exactly defined) can have any password protected area (at least with basic authentication, since this the only method I have tried so far) bypassed with fake credentials. Of course, any file residing in that area can also be grabbed. Expect to hear more about it in the following days. Apart from that, mswin32 support has at last caught up with the rest of Ncrack's supported platforms by porting the opensshlib as well as the latest version of the rest of Ncrack codebase to Windows XP. In addition, a Windows installer was made using NSIS and the setup .exe now resides in the svn repository under the mswin32 folder. So anyone wanting to give a try to Ncrack on his favorite proprietary platform can now automagically install it and run it on the fly. Another feature is the service timeout option with which a user can now specify the time offset when Ncrack stops cracking that particular service regardless of success so far. This can prove really handy for large networks when scanning times are restricted by administrator policies or other 'obstacles'. Specify for example that you want to scan your class C enterprise network for weak passwords on ssh but are limited only to a certain time period (e.g at night) when users won't be logging in so that Ncrack's connection probes won't cause an active hindrance to their usual activities: $ ncrack 10.0.0.*:22,to=10m That simple. 10m means 10 minutes, so that will have Ncrack running from now until 10 minutes later or until every service's cracking is completed (whichever comes first). BTW, 'to' is just an abbreviation for 'time-out', since we want to keep command-line options short yet memorable. That feature along with the upcoming --resume which will enable users to save Ncrack's current state into a file and later continuing from where it left, will make it a really valuable asset. I also began writing the manual page and nearly finished documenting the opensshlib. The latter will come in the form of a paper ( it is going to be _big_ ) since I am also analyzing various aspects of the SSH protocol and how that is implemented by the OpenSSH project as well as what hacks were made in order to convert the entire OpenSSH codebase into a library suitable for use by Ncrack's architecture and the corresponding SSH module. Probably it will be ready by tomorrow. The gathering of username and password lists has gone well so far and I found out about another great archive of such files here: http://theargon.com/achilles/wordlists/ However, a proper sorting of all these has to take place. Soon. The first steps of adding SSL support are also being done and by next week I hope that will have finished too. As usual, bugfixes never miss their being mentioned and various patches were made to better stabilize and even beautify (yes, indentation fixes!) the code. So to sum up: ----[ Accomplishments ]---- * Discovered Apache 2.2 0day vulnerability which leads to bypassing password-protected areas * Completed http basic-auth module. * Ported opensshlib and latest Ncrack version to Windows. * Successfully built and tested NSIS Windows installer. * Began writing manpage. * Almost finished documenting the building process of opensshlib. * Gathered some good sources of username/password lists. * Various bugfixes. ----[ Priorities ]---- * Complete writing of manpage. * Sort and categorize the gathered username/password lists. * Finish opensshlib documentation. * Add and test SSL support. * Write http form-auth module. * Further investigate Apache 2.2 vulnerability and write advisory. Cheers, ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Status Report #14 of 17 Luis M. (Jul 27)
- <Possible follow-ups>
- Status Report #14 of 17 J Marlow (Jul 27)
- Re: Status Report #14 of 17 ithilgore (Jul 27)
- Re: Status Report #14 of 17 Joao Correa (Jul 27)
- Re: Status Report #14 of 17 Patrick Donnelly (Jul 27)
- Re: Status Report #14 of 17 venkat sanaka (Jul 28)
- Re: Status Report #14 of 17 ithilgore (Jul 27)
- wordlists for Ncrack (was: Status Report #14 of 17) Solar Designer (Jul 28)
- Re: wordlists for Ncrack ithilgore (Jul 28)
- Re: wordlists for Ncrack Solar Designer (Aug 12)