Re: [RFC] Username/Password NSE library

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fyodor wrote:
> On Tue, Jun 17, 2008 at 10:12:16PM -0500, Kris Katterjohn wrote:
> > Here are some ideas (not mutually exclusive of course):
> >
> > 1) The ability to grab a username or password at a time
>
> OK.
>
> > 2) The ability to grab the full table of usernames or passwords, or a table of
> > a certain size
>
> You might be able to get by with either #1 or #2.  Though my initial
> thought is that #1 would be better in that case.
>
> > 3) Maybe the ability to grab just "administrator" usernames
>
> Maybe, though as you mentioned theyse may generally be at the top of
> the username list anyway.  And a smart script which only wants admin
> usernames may be better off using its own list because the script may
> know if it is likely to be used against Windows, certain devices with
> common admin names, etc.  So it may be able to exclude administrator
> names from other platforms.
>
> > 4) The ability to grab common default username/password pairs for networking
> > devices
>
> I think these lists would be specific to a certain script which scans
> such a device/service, so I'd rather let the script use its own lists.
>
> It would be nice if the library tells whether it is using a
> user-provided or default list.  I'd generally probably use more
> entries from a user-provided list (perhaps all of them), while a
> default list can be limited to a much smaller number.

So what are your thoughts on how long the default lists should be?  The
general consensus seems to be fairly small (a few hundred).

> Cheers,
> -F

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSFrVsP9K37xXYl36AQJZvQ//VpnKNpAPqnnolcfNJKz5fUMetWKMPM8F
w9CMiH4GN+w3NOQzCwwGPXlvGSbXy7qe/EqiYNb7Xd3MUDz3tXf+7lijFPTc9WX3
eD9VMpULi4mE0QS7kS4QoFzsyYeXxmuiAPFPG//8V86sIUM9A1y77d0OywHTSD8X
2TKG3tXnKyiEKjzy4mEx5lNupNi9Fdgja5VJ3WvLwHgAA+VxMybjXIxl9mYnzXka
cKOsObupZ30+38NneUKu6Qn1IE5wfif9jL5POIUMDRi1I0EJd77SrkjaXi0/cll8
/XDmymbyJpRXKDkuKKw81sAEF8jL6Jew1zTP0tD6BadKMQP5JOlZTyEaaB6XZlu8
0si0tcO7DtbfyojCZKY1n+NbI46oiVEzYVtjfz7aZV6kEgFp04K6QDPl+EgQbaCi
a8FJDG6j0zBc0KEmq64VhDPorqPp5xh2Kw7QpVrtPEkMipWkCqkSHVsf2dhLt1cG
kP1Nh628XegQQyOoHBfiqYd0t33MthqtL1azdkt3svuy9ACUgst0MuiHAvAD3gHr
H+MLRFlulyyvlwoU6Q8DvG8noRF2pH4vgWwX14arazmNou8CG8I5ZwIDMHL1QwCQ
k9O61Tzzr/W8Vu7fLp04lDUf/+EO39BQyCbH5EqESU2P1z14vE8m61rzCFhwF5nK
vGQZzKVdh1c=
=rMSZ
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org