Nmap Development mailing list archives

Re: [NSE] new scripts and libraries: http

From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Mon, 6 Sep 2010 18:00:14 -0500

Re: return code for valid vs. invalid login

All of the web apps developed in house by my employer return 200 OK on both
success and failure.  This is by design.  Failed logins are redirected to a
login page and the 403 error page is never displayed.

Something like that would break this script.

Would it be possible to have a user definable success / fail criteria that
includes regex or custombreturn codes?

-Jason

On Aug 12, 2010 11:49 PM, "David Fifield" <david () bamsoftware com> wrote:

On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:

    x http-brute - performs password guessing against basic authentication
    x http-form-brute - performs form-based password guessing


http-brute looks good. My first idea was to make it have a default path
of /, but requiring a script argument for that is fine too.

In checking for a successful login, I think that it should do more than
check for a 200 response. A 302 and probably others would be interesting
as well. How about checking for not 4xx and not 5xx? Something like an
IDS may start detecting all the requests and start returning 403, and
that would ideally be detected, but that can wait until we get some
actual reports.

Could the cached credentials in in nmap.registry.credentials.http be
indexed by the domain and realm? My idea is to introduce a more capable
default http.get function that is capable of following redirects and
using cached authentication automatically. If it knows the domain and
realm it can do this just like a web browser.

http-form-brute looks good, just like I would expect. I suspect that
looking for the nonexistence of uservar and passvar in the body will be
more robust than looking for the nonexistence of 'type=\"password\"'.

You can commit these when you like.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] new scripts and libraries: brute library, (continued)
- - - Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 20)
    - Re: [NSE] new scripts and libraries: brute library Patrik Karlsson (Aug 20)
    - Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 21)
- Re: [NSE] new scripts and libraries: vnc David Fifield (Aug 11)
  - Re: [NSE] new scripts and libraries: vnc Patrik Karlsson (Aug 14)
    - Re: [NSE] new scripts and libraries: vnc Henri Salo (Aug 14)
    - Re: [NSE] new scripts and libraries: vnc Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: http David Fifield (Aug 12)
  - Re: [NSE] new scripts and libraries: http Patrik Karlsson (Aug 19)
    - Re: [NSE] new scripts and libraries: http David Fifield (Sep 06)
  - Message not available
    - Re: [NSE] new scripts and libraries: http DePriest, Jason R. (Sep 06)
    - Re: [NSE] new scripts and libraries: http David Fifield (Sep 06)
- Re: [NSE] new scripts and libraries: svn David Fifield (Aug 18)
  - Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
    - Re: [NSE] new scripts and libraries: svn David Fifield (Aug 18)
    - Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
    - Re: [NSE] new scripts and libraries: svn Patrick Donnelly (Aug 19)
    - Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 19)
    - Re: [NSE] new scripts and libraries: svn David Fifield (Aug 19)
- Re: [NSE] new scripts and libraries: domino, informix, oracle, giop David Fifield (Aug 18)
  - Re: [NSE] new scripts and libraries: domino, informix, oracle, giop Patrik Karlsson (Aug 19)

(Thread continues...)