Nmap Development mailing list archives
Re: Authentication in SMB/MSRPC
From: David Fifield <david () bamsoftware com>
Date: Tue, 7 Oct 2008 09:07:29 -0600
On Mon, Oct 06, 2008 at 05:54:35PM -0500, Ron wrote:
I'm working on adding authentication to the SMB nselib right now, but I'm not sure how to do it. Here are the key ponits: - Every SMB script will use the same login details - Some scripts might determine login details and save them for others (a bruteforcer, for example) - Invalid logins can lock out accounts, so this can be very dangerous (it's trivial to check if accounts can be locked out, once we've logged in, but that's a catch-22 :) ) Based on those, I'm wondering how, conceptually, you guys think I should implement this? Basically: a) Should each .nse script be responsible for picking the login details to use, or should the SMB class find the login details? b) The login details will be passed in as a parameter, generally, but can also be saved in the nmap registry if they're determined -- if we end up with multiple copies of credentials (maybe the bruteforce found an account, another script found an account, and credentials were passed in), which should be used? (keeping in mind the lock out thing) c) Should the user be able to pass in a list of account to try, or should that be saved for a bruteforce script? d) If the user DOES have several sets of credentials that we want them to try, is there some way to warn them that they may lock out accounts? Even if they're trying a single set of credentials across multiple hosts (they specify a username/password across a /24 or /16), it'd be nice to confirm that they actually want to do what they're doing. e) Should there be some way for a user to give username/password pairs for specific hosts, or is that too granular?
Best to play it safe. My impression is that scripts using authentication information should only use information supplied by the user. I think the lockout issue is very important. If we only do what the user has explicitly asked for, there's less chance they will become furious at Nmap when an account gets locked out. If a bruteforce script finds credentials, it shouldn't try to use them, just display them. You can run the script with the new credentials to get more information from the other scripts. Also, if you try to have one script get authentication details from another, it gets more complicated because one has to run before the other and you reduce the possible parallelism. Plus there's the "which credentials to use?" problem you mentioned in (b). David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Authentication in SMB/MSRPC Ron (Oct 06)
- Re: Authentication in SMB/MSRPC David Fifield (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC Fyodor (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC Fyodor (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC David Fifield (Oct 07)