Nmap Development mailing list archives
Re: backorifice-brute NSE script
From: Ron <ron () skullsecurity net>
Date: Wed, 15 Jun 2011 17:49:21 -0500
Hey, My opinions on this - and feel free to ignore if this has already been solved: - The -brute script and -version script should be separate, and the -version should depend on -brute so it doesn't run every time - I tend to err on the side of more information rather than less - most scanners can give you the simple yes/no if a service exists or is vulnerable, but NSE's real power is going the extra step and getting information from services. - Typically on Nessus, we use the setting thorough_tests to decide whether to scan just the default port, or to scan every un-identified port. I don't think scanning every unidentified udp port is possible or advisable, though.. Ron On Tue, 3 May 2011 00:32:21 +0200 Gorjan Petrovski <mogi57 () gmail com> wrote:
Hello, I've been somewhat busy this weekend, and the result is a backorifice-brute script that utilizes the brute library to guess passwords against the BackOrifice service. The backorifice class contains the basic functions for encryption and a try_password function which sends an encrypted PING packet to the service and checks whether the response is correct. This script is nearly finished, since some things are still unclear to me: The service itself can be configured to work on any port, and the only way to verify that a BackOrifice service is running is to send an encrypted PING packet using the correct password. What kind of a rule should this script be initiated by? Currently it's a shortport.port_or_service(31337, "BackOrifice", "udp") , which obviously can't be run against any port. Nmap recognizes a BackOrifice service only for an open|filtered 31337 port, and the probe uses a PING packet encrypted with the default seed. I liked Toni Ruottu's suggestion where the backorifice-brute script updates the version info for the BackOrifice service, so then backorifice-info can be automatically initiated once a password has been found. Should a brute script update version info? Which socket timeout is best for this kind of script? (I put 3000 ms) Why shouldn't I put 50 or 100 bruteforcing threads? Should I post works-in-progress like this to nmap-dev, or only to my mentor? The example script output looks like this: 31337/udp open|filtered BackOrifice | backorifice-brute.nse: | Accounts | michael => Login correct | Statistics |_ Performed 10 guesses in 4 seconds, average tps: 2 Cheers, Gorjan
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: backorifice-brute NSE script, (continued)
- Re: backorifice-brute NSE script Gorjan Petrovski (May 04)
- Re: backorifice-brute NSE script Gorjan Petrovski (May 04)
- Re: backorifice-brute NSE script Patrick Donnelly (May 04)
- Re: backorifice-brute NSE script Gorjan Petrovski (May 04)
- Re: backorifice-brute NSE script Toni Ruottu (May 04)
- Re: backorifice-brute NSE script Patrick Donnelly (May 04)
- Re: backorifice-brute NSE script Gorjan Petrovski (May 05)
- Re: backorifice-brute NSE script Toni Ruottu (May 04)
- Re: backorifice-brute NSE script Gorjan Petrovski (May 05)