Nmap Development mailing list archives
RE: [RFC] Changes to HTTPAuth, addition of HTTPbrute
From: "Thomas Buchanan" <TBuchanan () thecompassgrp net>
Date: Wed, 25 Jun 2008 08:26:50 -0500
-----Original Message----- From: Kris Katterjohn [mailto:katterjohn () gmail com] Sent: Wednesday, June 25, 2008 12:49 AM To: Thomas Buchanan Cc: Nmap Dev Subject: Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute I've attached a patch against your HTTPAuth that fixes the warning: SCRIPT ENGINE: ./scripts/HTTPAuth.nse:48: bad argument #1 to 'len' (string expected, got nil) If a server didn't send a 401 message, string.len() was called on nil. I just made it return if it wasn't a 401, instead of having all of the "real" code inside a conditional block.
The patch looks good. Thanks.
I've also attached a patch to fix some false positives in HTTPbrute. I ran it several times, and one time it gave me 7 false positives. Now that I've fixed that, I'm having the problem of getting my valid username/password pair to succeed: all of the requests are getting 401 responses back. Maybe this is a problem with the base64 library? Or maybe I've done something wrong and will feel stupid after sending this email :)
I applied your patch for HTTPbrute here, and all of my valid user/pass combinations are still working. Not exactly sure what might be the issue, but three possibilities come to mind: 1. Any chance you may have locked out the user account, so that it's returning Unauthorized no matter what? 2. My base64 encoding algorithm uses numerical codes from lua's string.byte() function, which the docs say "are not necessarily portable across platforms". I don't know if locale or UTF-8 settings could be a problem here? 3. The username/password library doesn't strip whitespace from the end of lines, so maybe an inadvertent space or '\r' could be the culprit? You can verify that the base64 library is working correctly by using an online encoders, such as this one: http://www.motobit.com/util/base64-decoder-encoder.asp Let me know if there's anything else I can do to help. Thanks, Thomas _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [RFC] Changes to HTTPAuth, addition of HTTPbrute Thomas Buchanan (Jun 24)
- Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute Kris Katterjohn (Jun 24)
- RE: [RFC] Changes to HTTPAuth, addition of HTTPbrute Thomas Buchanan (Jun 25)
- Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute Kris Katterjohn (Jun 25)
- RE: [RFC] Changes to HTTPAuth, addition of HTTPbrute Thomas Buchanan (Jun 25)
- Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute Kris Katterjohn (Jun 24)