Nmap Development mailing list archives
Re: Default time limits for unpwdb
From: Ron <ron () skullsecurity net>
Date: Sat, 20 Mar 2010 08:49:25 -0500
I agree. I think we should do a countlimit, too, as a script-arg. On Fri, 19 Mar 2010 21:51:42 -0600 David Fifield <david () bamsoftware com> wrote:
The unpwdb library has a unpwdb.timelimit function that suggests how long password brute-forcing should go on. http://nmap.org/nsedoc/lib/unpwdb.html#timelimit A problem is that it is up to the script to enforce the limit. Most brute scripts don't do it. They keep running until they're exhausted every credential. They can take an unexpectedly long time if tarpitted or if the service is just slow. I propose with the attached patch to add default time limits to the username and password iterators, so that they start returning nil after they run out of time. The default time limit would be the return value of unpwdb.timelimit, or you can specify a limit directly. A limit of 0 means to disable the time limit. This would allow us to use a bigger password list without worrying about how it's going to slow down the brute scripts. Scripts wouldn't need any modification. David Fifield
-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Default time limits for unpwdb David Fifield (Mar 19)
- Re: Default time limits for unpwdb Ron (Mar 20)
- Re: Default time limits for unpwdb David Fifield (Mar 23)
- Re: Default time limits for unpwdb Ron (Mar 23)
- Re: Default time limits for unpwdb David Fifield (Mar 24)
- Re: Default time limits for unpwdb David Fifield (Mar 23)
- Re: Default time limits for unpwdb Ron (Mar 20)