Re: Authentication in SMB/MSRPC

[Fyodor <fyodor () insecure org>]

On Tue, Oct 07, 2008 at 09:29:26AM -0500, Ron wrote:
> I don't believe Nessus will dig like that. But I know that some 
> applications will attempt to find holes and use those holes to scan more 
> deeply (Core Impact comes to mind, among others).

Metasploit does too.

> I don't think Nessus will even attempt bruteforce attacks, though, 

Then they are missing out on an important attack vector (though one
which is so intrusive that it shouldn't be a default in Nmap) except
maybe in certain extremely trivial forms.

> At the same time, I don't think anybody wants to turn Nmap into an 
> exploitation tool, so we sort of have to draw the line somewhere. I was 
> thinking of adding bruteforce because other Nmap scripts do the same. 
> Which just made me think -- if one of the other bruteforce scripts is 
> successful (telnet, pop3, snmp, etc), should it store the credentials in 
> the registry? It seems like you can line up scripts pretty nicely like 
> that, "if script A or B finds SNMP credentials, then script C will use 
> those credentials to walk the SNMP tree and display the information."

Yeah, we had been talking about doing that in our weekly SoC NSE
meetings we had this summer.

> Of course, that's getting pretty intrusive, which is probably the core 
> issue here -- how intrusive is "too intrusive"?

Given that the brute force scripts are by their nature non-default and
very intrusive, I'm not sure that using discovered credentials for
further exploration would be escalating the intrusiveness too much.
But it is a hard call.  If the authentication-requiring scripts won't
use discovered credentials by default, we should at least provide the
option.

Cheers,
-F


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org