RE: Password profiling in NSE

[Giacomo Mantani <giacomo.mantani () studio unibo it>]

On Mon, Apr 18, 2016 7:55 PM, George Chatzisofroniou
<sophron () latthi com> wrote:
> > I have worked in an HTML parser library in order for the GSoC proposal, it
> > enhance http-title and other script, maybe we could use it to do a better
> > information gathering phase.
>
> I had a look at your HTML parser. A problem I see is that is based on
> PEG, making it memory-consuming. An alternative would be a pull-driven
> library, such as Pico XML [1], which has been referenced a few times
> on this list.

I am not sure about that. LPeg seems a good choice for the following reasons:

* We already have LPeg integrated into NSE.
* It is already shipped with a lua package.
* It is under developing and well documented.
* It is flexible, you do not need to define a full grammar.
* First-class patterns allow to break complex definitions in smaller parts.
* Last but not the least, we already have a parser structure ;)

I have not tested memory consumption but actually I think it is not too
cumbersome.

> If there is an efficient HTML parser in place, we could potentially
> grab the most frequent words in an HTML response and feed them to our
> pwdprofile library.
>
> > Speaking about more complicated mangling algorithms, password often are made up
> > only with characters that are in the keyboard. I think that really few people use
> > characters outside (not displayed). We could leverage this supposition to
> > get a subset of character to use in mutation algorithm. In addition, we could
> > take advantage of the target country to guessing the keyboard layout.
>
> I'm not sure I understand what you mean here. We are still mounting a
> dictionary attack (rather than a raw brute forcing). The patch I
> posted replaces letters with their leet alternatives already.

In mounting the dictionary we could add words that are common in a specific
gathered country. Let me try to explain it with an example:

If we guess that the target is from Italy we could suppose that it use an
italian QWERTY keyboard. Doing so we could omit words with special characters
not present in italian alphabet like ( Ü,ß,б,ы,т,ь,г,о,в,р,и,ê,ñ )

I will ping you on IRC,
Giacomo

________________________________________
From: George Chatzisofroniou [sophron () latthi com]
Sent: Monday, April 18, 2016 7:55 PM
To: Giacomo Mantani
Cc: nmap list
Subject: Re: Password profiling in NSE

On Fri, Apr 15, 2016 at 3:36 AM, Giacomo Mantani
<giacomo.mantani () studio unibo it> wrote:
> I am a GSoC student interested, it seems useful. I could help you develop some
> features if you want and the community approve your work.  Independently from be
> approved or not in the summer of code program (results will be public on 25
> April).

Great. I'm available for helping you out. Feel free to ping me on IRC
(my handle is sophron and I'm on Freenode) to discuss the next steps
we should take.

> I have worked in an HTML parser library in order for the GSoC proposal, it
> enhance http-title and other script, maybe we could use it to do a better
> information gathering phase.

I had a look at your HTML parser. A problem I see is that is based on
PEG, making it memory-consuming. An alternative would be a pull-driven
library, such as Pico XML [1], which has been referenced a few times
on this list.

If there is an efficient HTML parser in place, we could potentially
grab the most frequent words in an HTML response and feed them to our
pwdprofile library.

> Speaking about more complicated mangling algorithms, password often are made up
> only with characters that are in the keyboard. I think that really few people use
> characters outside (not displayed). We could leverage this supposition to
> get a subset of character to use in mutation algorithm. In addition, we could
> take advantage of the target country to guessing the keyboard layout.

I'm not sure I understand what you mean here. We are still mounting a
dictionary attack (rather than a raw brute forcing). The patch I
posted replaces letters with their leet alternatives already.

> Have you already a repository with some version control software?

I haven't, but I can if this is going to help you contributing.

[1]: https://sourceforge.net/projects/picoxml/

--
George Chatzisofroniou
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/