Re: Default time limits for unpwdb

[Ron <ron () skullsecurity net>]

I agree. 

I think we should do a countlimit, too, as a script-arg. 

On Fri, 19 Mar 2010 21:51:42 -0600 David Fifield
<david () bamsoftware com> wrote:
> The unpwdb library has a unpwdb.timelimit function that suggests how
> long password brute-forcing should go on.
>
> http://nmap.org/nsedoc/lib/unpwdb.html#timelimit
>
> A problem is that it is up to the script to enforce the limit. Most
> brute scripts don't do it. They keep running until they're exhausted
> every credential. They can take an unexpectedly long time if tarpitted
> or if the service is just slow.
>
> I propose with the attached patch to add default time limits to the
> username and password iterators, so that they start returning nil
> after they run out of time. The default time limit would be the
> return value of unpwdb.timelimit, or you can specify a limit
> directly. A limit of 0 means to disable the time limit.
>
> This would allow us to use a bigger password list without worrying
> about how it's going to slow down the brute scripts. Scripts wouldn't
> need any modification.
>
> David Fifield


-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/