Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Authentication in SMB/MSRPC

From: Ron <ron () skullsecurity net>
Date: Tue, 07 Oct 2008 09:29:26 -0500
Fyodor wrote:

On Tue, Oct 07, 2008 at 05:36:25AM -0500, Ron wrote:

>

I agree.  Though we do need to be careful not to exceed the
intrusiveness level desired by the user.  So it can be a tough balance
to strike.

Serious brute force scripts are generally not going to be default
anyway.  So if someone specifies those (along with other scripts),
they may very well be doing so in order that found credentials can be
used in the scan.

If there is a lockout, it will generally happen during the brute force
session, not in subsequent logins.

So if we don't let scripts used discovered (by whatever mechanism)
authentication credentials by default, we should at least provide an
option to do so IMHO.

If Nessus determines authentication credentials, does it automatically
use them?

Cheers,
-F
I don't believe Nessus will dig like that. But I know that some applications will attempt to find holes and use those holes to scan more deeply (Core Impact comes to mind, among others).
I don't think Nessus will even attempt bruteforce attacks, though, although I could be wrong. Most Nessus scripts will detect a vulnerability, but won't use it to obtain more information.
At the same time, I don't think anybody wants to turn Nmap into an exploitation tool, so we sort of have to draw the line somewhere. I was thinking of adding bruteforce because other Nmap scripts do the same. Which just made me think -- if one of the other bruteforce scripts is successful (telnet, pop3, snmp, etc), should it store the credentials in the registry? It seems like you can line up scripts pretty nicely like that, "if script A or B finds SNMP credentials, then script C will use those credentials to walk the SNMP tree and display the information."
Of course, that's getting pretty intrusive, which is probably the core issue here -- how intrusive is "too intrusive"? 

Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: