Nmap Development mailing list archives
Thoughts on SMB cracking
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Thu, 24 Jun 2010 15:57:31 +0300
Hello nmap-dev. As of late, I am experimenting with the SMB protocol with the purpose of creating a high-speed SMB module for Ncrack. After studying Ron's smb scripts and relevant documentation/papers, I considered using a technique similar to smb-enum to get users from a SMB service if possible. Then Ncrack can add those users to its username lists and try them first. One question that arises from this, is which would be the most efficient way of trying them? Normally Ncrack, tries all the passwords from the passlist for each of the usernames. If Ncrack, adds those newly found usernames, it should probably try this new group for all the most common passwords and then try the less "intelligent bruteforcing". For example, say you have: username list: --------------- user1 user2 user3 password list: --------------- 123456 test password1 Normally Ncrack tries them like this: user1 123456 user2 123456 user3 123456 user1 test ... Of course, you can activate the --passwords-first option, so that Ncrack will try and crack them in the opposite way: user1 123456 user1 test user1 password1 user2 123456 ... Now, if Ncrack finds that usernames "Bob" and "Alice" exist for an SMB service (using an enumeration technique like SAMR or LSA bruteforcing), then it should instead try to crack them in this order: New username list: ------------------ Bob Alice user1 user2 user3 Cracking: --------- Bob 123456 Alice 123456 Bob test Alice test Bob password1 Alice password1 user1 123456 user2 123456 user4 123456 user1 test which essentially means that you virtually split the username list into two groups, the user-enumerated one and the normal username list (coming from a file or the command-line), and you try to authenticate the former group first. Probably, there should be an option however to override this functionality in case the user just wants to crack a specific username/password list of his own choosing first. In addition, he could also probably be able to disable the enum-phase in this case (to save the extra time needed for it). So what are your thoughts on it? I am expecting Ron or other SMB experts to have a strong say on this. Regards, ithilgore -- http://sock-raw.org http://twitter.com/ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Thoughts on SMB cracking ithilgore (Jun 24)
- Re: Thoughts on SMB cracking Ron (Jun 24)
- Re: Thoughts on SMB cracking Daniel Miller (Jun 24)
- Re: Thoughts on SMB cracking Fyodor (Jun 28)
- Re: Thoughts on SMB cracking Ron (Jun 24)