Authentication in SMB/MSRPC

[Ron <ron () skullsecurity net>]

Hi all,

I'm working on adding authentication to the SMB nselib right now, but
I'm not sure how to do it. Here are the key ponits:

- Every SMB script will use the same login details
- Some scripts might determine login details and save them for others (a
bruteforcer, for example)
- Invalid logins can lock out accounts, so this can be very dangerous
(it's trivial to check if accounts can be locked out, once we've logged
in, but that's a catch-22 :) )

Based on those, I'm wondering how, conceptually, you guys think I should
implement this?

Basically:
a) Should each .nse script be responsible for picking the login details
to use, or should the SMB class find the login details?
b) The login details will be passed in as a parameter, generally, but
can also be saved in the nmap registry if they're determined -- if we
end up with multiple copies of credentials (maybe the bruteforce found
an account, another script found an account, and credentials were passed
in), which should be used? (keeping in mind the lock out thing)
c) Should the user be able to pass in a list of account to try, or
should that be saved for a bruteforce script?
d) If the user DOES have several sets of credentials that we want them
to try, is there some way to warn them that they may lock out accounts?
Even if they're trying a single set of credentials across multiple hosts
(they specify a username/password across a /24 or /16), it'd be nice to
confirm that they actually want to do what they're doing.
e) Should there be some way for a user to give username/password pairs
for specific hosts, or is that too granular?

Just some thoughts I've come across. the most important one is (a) right
now, the rest will fall into place as I go, I think.

Thanks!
Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org