Re: [RFC] Username/Password NSE library

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fyodor wrote:
> Hi Kris.  That's an interesting idea, but I think a manual reset
> function would be better.  As you point out, the implicit reset is a
> pain if your script only tries, say, the first 100 passwords for each
> username.  You shouldn't have to cycle through thousands more
> passwords just to get to the beginning again for the next username.
>
> Also, I think the code is easier to read and understand if the script
> has to call reset manually than if it relies on magic side effects
> like this.

OK, following with the thread mutex string parameters, I've added the single
optional argument of "reset" to the closure for this.  All this does is reset
the list, it does not return a username or password.

I've attached a new library with this functionality.

> Cheers,
> -F

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSGFU0f9K37xXYl36AQJlxQ//UDXFOn8J3ZseuNQDxbgoxLoWBMxiIDZp
PKjE+RqE5W/gfDMwWggJEUvJpCIhGLLcycfpBL/G9YFRyAyboewH3IqcB6rcLEzZ
2AFPFiwRsANPummvH5sANPlX6VPpYMkOHphf/3kt9Tf6lbbAPrtz+kvYgV734tM5
yB5oEbQyfrFf2q9VUIC7EVExClMOhqvqkvcEK/WsGFeWXeoZ2pu2M6/2nl8IXYqR
9cQ49qbMk9ukRYNxwwgDvaFOp5A6TCEAPg9FEQ2iTQL+ytac+9Q8f/cFyYlzi9y1
Pfnwlrb8r29fgfCRjntzmtS2JPpcInQBHcSzNk1raaJ+FTN0NXyuSQCKxsZR7qGr
JJV90nswn+51tcoSrMPm/+ZxihO4N+7StbpBRNJYFbPd+K8Ym6hNHy8lizQwfGqU
R/wBfBSjWxlnBTgaUvJiHbYDvHJaGOu4M5b7rWbWizJuAUTt3jiljIokS6BD4+FC
wEzfZ7VIgjodORIJNT9/dNf/W7w1YEdFsYz1zyG8k2Dod37DdS16Y7Y7/i9VYPKI
LmeBzBhYB51UN88g5CC5TASJmEcKDdtvx+W69PZCi3t7hwznXV1iZUjdiwddGQBB
mB6rbZ4aEjYBPzdkBu7JFL2owS6CH5pVFfVceiSFgfBLJYpFWt85d3hsJ3uc7qcu
MRyFqGbpRJU=
=Cfy2
-----END PGP SIGNATURE-----

-- Kris Katterjohn 06/2008

module(..., package.seeall)

---- Username/Password DB Library
--
-- usernames() - Returns a closure which returns a new username with every call
-- until the username list is exhausted (in which case it returns nil)
--
-- passwords() - Returns a closure which returns a new password with every call
-- until the password list is exhausted (in which case it returns nil)
--
-- These functions return multiple values for use with exception handling via
-- nmap.new_try().  The first value is the boolean success indicator, the
-- second value is the closure, and the last value is a boolean value indicating
-- whether or not the list read from is user-defined (true) or not (false).
--
-- The closures can take a parameter of "reset" to rewind the list to the
-- beginning.
--
-- You can select your own username and/or password database to read from with
-- the script arguments userdb and passdb, respectively.  The databases are
-- read line-by-line and recorded verbatim, so no comments are allowed (this
-- could get confused with a real username or password).
--
----

local usertable = {}
local passtable = {}

local userfile = function()
        if nmap.registry.args.userdb then
                return true, nmap.registry.args.userdb
        end

        return false, nmap.fetchfile("nselib/usernames.lst")
end

local passfile = function()
        if nmap.registry.args.passdb then
                return true, nmap.registry.args.passdb
        end

        return false, nmap.fetchfile("nselib/passwords.lst")
end

local filltable = function(filename, table)
        if #table ~= 0 then
                return true
        end

        local file = io.open(filename, "r")

        if not file then
                return false
        end

        while true do
                local l = file:read()

                if not l then
                        break
                end

                table[#table + 1] = l
        end

        file:close()

        return true
end

local closure = function(table)
        local i = 1

        return function(cmd)
                if cmd == "reset" then
                        i = 1
                        return
                end
                local elem = table[i]
                if elem then i = i + 1 end
                return elem
        end
end

usernames = function()
        local custom, path = userfile()

        if not path then
                return false, "Cannot find username list", custom
        end

        if not filltable(path, usertable) then
                return false, "Error parsing username list", custom
        end

        return true, closure(usertable), custom
end

passwords = function()
        local custom, path = passfile()

        if not path then
                return false, "Cannot find password list", custom
        end

        if not filltable(path, passtable) then
                return false, "Error parsing password list", custom
        end

        return true, closure(passtable), custom
end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org