Re: Status Report #14 of 17

[ithilgore <ithilgore.ryu.l () gmail com>]

Status Report #14 of 17

28 July, 2009

Hello nmap-dev!

This week was focused on completing and debugging the http basic-auth module.
During the process of testing, I made some fascinating discovery with the help
of Ncrack's high speed cracking engine: bypassing Apache's 2.2 password
protected areas. Apparently, this hasn't been found or disclosed anywhere yet so
an advisory is likely to come up soon. I want to test more versions though and
also try to find where in the code the relevant flaw is. The consequences of
this bug is that all vulnerable Apache versions (which are yet to be exactly
defined) can have any password protected area (at least with basic
authentication, since this the only method I have tried so far) bypassed with
fake credentials. Of course, any file residing in that area can also be grabbed.
Expect to hear more about it in the following days.

Apart from that, mswin32 support has at last caught up with the rest of Ncrack's
supported platforms by porting the opensshlib as well as the latest version of
the rest of Ncrack codebase to Windows XP. In addition, a Windows installer was
made using NSIS and the setup .exe now resides in the svn repository under the
mswin32 folder. So anyone wanting to give a try to Ncrack on his favorite
proprietary platform can now automagically install it and run it on the fly.

Another feature is the service timeout option with which a user can now specify
the time offset when Ncrack stops cracking that particular service regardless of
success so far. This can prove really handy for large networks when scanning
times are restricted by administrator policies or other 'obstacles'. Specify for
example that you want to scan your class C enterprise network for weak passwords
on ssh but are limited only to a certain time period (e.g at night) when users
won't be logging in so that Ncrack's connection probes won't cause an active
hindrance to their usual activities:

$ ncrack 10.0.0.*:22,to=10m

That simple. 10m means 10 minutes, so that will have Ncrack running from now
until 10 minutes later or until every service's cracking is completed (whichever
comes first).

BTW, 'to' is just an abbreviation for 'time-out', since we want to keep
command-line options short yet memorable.

That feature along with the upcoming --resume which will enable users to save
Ncrack's current state into a file and later continuing from where it left, will
make it a really valuable asset.

I also began writing the manual page and nearly finished documenting the
opensshlib. The latter will come in the form of a paper ( it is going to be
_big_ ) since I am also analyzing various aspects of the SSH protocol and how
that is implemented by the OpenSSH project as well as what hacks were made in
order to convert the entire OpenSSH codebase into a library suitable for use by
Ncrack's architecture and the corresponding SSH module. Probably it will be
ready by tomorrow.

The gathering of username and password lists has gone well so far and I found
out about another great archive of such files here:
http://theargon.com/achilles/wordlists/
However, a proper sorting of all these has to take place. Soon.

The first steps of adding SSL support are also being done and by next week I
hope that will have finished too.

As usual, bugfixes never miss their being mentioned and various patches were
made to better stabilize and even beautify (yes, indentation fixes!) the code.

So to sum up:

----[ Accomplishments ]----

* Discovered Apache 2.2 0day vulnerability which leads to bypassing
  password-protected areas
* Completed http basic-auth module.
* Ported opensshlib and latest Ncrack version to Windows.
* Successfully built and tested NSIS Windows installer.
* Began writing manpage.
* Almost finished documenting the building process of opensshlib.
* Gathered some good sources of username/password lists.
* Various bugfixes.


----[ Priorities ]----

* Complete writing of manpage.
* Sort and categorize the gathered username/password lists.
* Finish opensshlib documentation.
* Add and test SSL support.
* Write http form-auth module.
* Further investigate Apache 2.2 vulnerability and write advisory.


Cheers,
ithilgore


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org