Re: [RFC] Username/Password NSE library

[Fyodor <fyodor () insecure org>]

On Tue, Jun 17, 2008 at 10:12:16PM -0500, Kris Katterjohn wrote:
> Here are some ideas (not mutually exclusive of course):
>
> 1) The ability to grab a username or password at a time

OK.

> 2) The ability to grab the full table of usernames or passwords, or a table of
> a certain size

You might be able to get by with either #1 or #2.  Though my initial
thought is that #1 would be better in that case.

> 3) Maybe the ability to grab just "administrator" usernames

Maybe, though as you mentioned theyse may generally be at the top of
the username list anyway.  And a smart script which only wants admin
usernames may be better off using its own list because the script may
know if it is likely to be used against Windows, certain devices with
common admin names, etc.  So it may be able to exclude administrator
names from other platforms.

> 4) The ability to grab common default username/password pairs for networking
> devices

I think these lists would be specific to a certain script which scans
such a device/service, so I'd rather let the script use its own lists.

It would be nice if the library tells whether it is using a
user-provided or default list.  I'd generally probably use more
entries from a user-provided list (perhaps all of them), while a
default list can be limited to a much smaller number.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org