Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Authentication in SMB/MSRPC

From: Ron <ron () skullsecurity net>
Date: Tue, 07 Oct 2008 05:36:25 -0500
David Fifield wrote:

On Mon, Oct 06, 2008 at 05:54:35PM -0500, Ron wrote:

Best to play it safe. My impression is that scripts using authentication
information should only use information supplied by the user. I think
the lockout issue is very important. If we only do what the user has
explicitly asked for, there's less chance they will become furious at
Nmap when an account gets locked out.

If a bruteforce script finds credentials, it shouldn't try to use them,
just display them. You can run the script with the new credentials to
get more information from the other scripts.
Well, my thought was if you're running it across a significantly sized network with a list of common accounts/passwords, you might want it to use the passwords it finds, especially if the auditor knows that lockouts are disabled. Additionally, the 'administrator' account can rarely be locked out and the 'guest' account rarely has a password set if it's enabled, so they might want to bruteforce just those two.
If the scripts are expanded to the point where they can do deeper vulnerability assessments, being able to use passwords found could be very valuable, especially if you're scanning a couple thousand hosts. 

Obviously, it shouldn't be a default thing, but I can see it being handy.



Also, if you try to have one script get authentication details from
another, it gets more complicated because one has to run before the
other and you reduce the possible parallelism. Plus there's the "which
credentials to use?" problem you mentioned in (b).
Well, with SMB the parallelism is shot anyways, because you can't make more than one SMB connection to a server simultaneously (a fault of the protocol).
But isn't there some mechanism for doing that in Nmap scripts already? Runlevel, I think? Or was that a theoretical thing? 



David Fifield


Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: