Re: [NSE] A Lua implementation of NSE

[Ron <ron () skullsecurity net>]

Hey Patrick,

I've finally had time to read this posting, since I'm on vacation. I
just had a couple quick thoughts...

> These are the following ways a thread may yield and whether its host
> will still be charged time.
> [...] 
> o A thread blocked on a mutex or condition variable (see nse.condvar)
> will not be charged time.
This may be fixed in other ways (such as your push/pop_handler)
function, but one of the things that saved a lot of trouble when me and
Brandon were testing was the fact that a thread that was stuck on a
mutex (that is, waiting on a mutex that would never be released) would
eventually time out, and the execution would end. Am I correct in
thinking that, if you pushed that change, deadlocked scripts would never
finish?

I think it's good if there's some way for scripts stuck in a mutex to
get out, eventually, if there isn't one.

The fact that your push/pop_handler would let me handle an error
condition gracefully means that I can properly release my mutexes if
something bad happens, so that deadlock situation should never happen,
but there's always that chance.

> IV. The NSE API
> ...
This reminded me of something I was thinking about that isn't really
related to your current changes (although you DID ask for other things).
This may already be possible, I don't know enough about Lua, but I'll
ask anyway.

Here's the situation: I have two scripts (smb-brute and smb-pwdump).
smb-brute will bruteforce accounts and find weak passwords. smb-pwdump
will use those accounts to log in and dump the password hashes for all
users on that system.

And what I'd like to do: I'd like to feed those hashes, discovered by
smb-pwdump, back into smb-brute for other servers (at least, other
servers in the current hostgroup). I don't want the scan against any
server to end until every password in the dictionary plus every password
discovered from other systems has been tried. If one of the discovered
passwords works against a system, every system should be attempted with
those passwords until we stop gaining ground. Does that make sense?

So basically, the execution of all scans against the current hostgroup
are dependent on each other.

Is that something that can currently be done?

I'm not opposed to combining those two scripts (smb-brute and
smb-pwdump), since they're both password-stealers, but that isn't really
the issue. The issue is more with how different parallel instances of
the same script communicates.

Ron

-- 
Ron Bowes
http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org