Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Authentication in SMB/MSRPC

From: David Fifield <david () bamsoftware com>
Date: Tue, 7 Oct 2008 09:07:29 -0600
On Mon, Oct 06, 2008 at 05:54:35PM -0500, Ron wrote:

I'm working on adding authentication to the SMB nselib right now, but
I'm not sure how to do it. Here are the key ponits:

- Every SMB script will use the same login details
- Some scripts might determine login details and save them for others (a
bruteforcer, for example)
- Invalid logins can lock out accounts, so this can be very dangerous
(it's trivial to check if accounts can be locked out, once we've logged
in, but that's a catch-22 :) )

Based on those, I'm wondering how, conceptually, you guys think I should
implement this?

Basically:
a) Should each .nse script be responsible for picking the login details
to use, or should the SMB class find the login details?
b) The login details will be passed in as a parameter, generally, but
can also be saved in the nmap registry if they're determined -- if we
end up with multiple copies of credentials (maybe the bruteforce found
an account, another script found an account, and credentials were passed
in), which should be used? (keeping in mind the lock out thing)
c) Should the user be able to pass in a list of account to try, or
should that be saved for a bruteforce script?
d) If the user DOES have several sets of credentials that we want them
to try, is there some way to warn them that they may lock out accounts?
Even if they're trying a single set of credentials across multiple hosts
(they specify a username/password across a /24 or /16), it'd be nice to
confirm that they actually want to do what they're doing.
e) Should there be some way for a user to give username/password pairs
for specific hosts, or is that too granular?


Best to play it safe. My impression is that scripts using authentication
information should only use information supplied by the user. I think
the lockout issue is very important. If we only do what the user has
explicitly asked for, there's less chance they will become furious at
Nmap when an account gets locked out.

If a bruteforce script finds credentials, it shouldn't try to use them,
just display them. You can run the script with the new credentials to
get more information from the other scripts.

Also, if you try to have one script get authentication details from
another, it gets more complicated because one has to run before the
other and you reduce the possible parallelism. Plus there's the "which
credentials to use?" problem you mentioned in (b).

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: