Nmap Development mailing list archives
Re: smb-brute: Case sensitive passwords
From: Fyodor <fyodor () insecure org>
Date: Sat, 7 Feb 2009 13:48:47 -0800
On Sat, Feb 07, 2009 at 12:50:34PM -0600, Ron wrote:
Hey, I just comitted a change to how passwords are checked in the smb-brute.nse script (in my experimental branch). I now start with using Lanman, which is case insensitive. Then I bruteforce the case, starting with one uppercase character, then two, etc. I also put the all-uppercase version second, since I'm going to guess it's more common. So for "test", it'd do this: test TEST Test tEst teSt tesT TEst TeSt TesT tESt tEsT teST TESt TEsT TeST tEST
Hi Ron. I'm quite excited about the new SMB functionality in general! I am speaking at CanSecWest next month and I'm trying to think of good ways to use one or more of the smb scripts to demonstrate the power of the scripts themselves, and of NSE in particular. I haven't thought about it enough, but one idea might be to demonstrate the way the scripts can chaing together. I could have a VM running Windows and show how the accounts can be determined by one method (or guessed), then the passwords brute forced, then other scripts take over and determine detailed information about the system. For the rest of my email, I think I misunderstood your message. I responded with the thought that you were going to try every capitalization combination of every unpw library password in sequence. But now I think I understand that you are verifying using case-insensitive Lanman that a password has the right letters, and then using case-sensitive NTLM to determine the exact case. I think that is a great idea! I'll include the rest of my email, even though I think much of it is based on my misunderstanding. As some of the ideas/data might still be useful for unpw. On the subject of capitalization, perhaps this capitalization brute force should be an option people have to specify. Or at least it should only happen after all as-is passwords have been gone through. Then it should probably go through all of them with just the first letter capitalized before continuing on to try other capitalization schemes. As you noted, there are only a small number of relatively likely capitalizations. Take a look at a password cracker such as John the Ripper for a good idea of the sort of permutations which are most valuable. Solar Designer based many of his decisions there on real-world testing. Many people here probably saw the unfortunate phpbb hack a few days ago, where an attacker compromsied their databases and posted a list of 28,635 user passwords and more than 100 megabytes of database dumps. Now those passwords are particularly lame, but the capitalization stats are dramatic: All lower-case passwords: 28,290 (98.8%) One or more capital letters: 345 (1.2%) Even with a four letter example such as "test", the capitalization brute force makes the cracking take 16 times as long. One an average password file, it probably takes at least 64 times as long. That's a bitter pill if we're only gaining 1.2%. Also, it might be better to offer these sorts of permutations in unpw rather than the smb brute force script itself. They are just as applicable to the other brute forcers. As a first order of business, I'll bet that improving our password list by mixing in more data (including, perhaps, the PHP list) would be much more effective than brute forcing every capitalization of the existing words. Though I do agree that having the capitalization brute force option is good to have for when people want an intensive check. I think the key is to timebox (as you mentioned) based on how long the user is likely to want to gring the service, and try the most likely password candidates first.
One option, if this becomes an issue, is to timebox it, make sure that no crack takes longer than, say, 10 seconds. At 10 seconds (or whatever), give up and move onto the next account. I dislike that idea, though.
I actually think it is promising. Sometimes people just want to do a quick sweep for obvious passwords since they are in a hurry. In other cases they have more time and are willing to spend days trying to crack an account.
The only real issue is that this script won't find passwords if a server is set to NTLM-only, or if somebody uses a password greater than 14 characters. But I don't think either of those is common enough to matter.
Does Vista still allow Lanman by default? Is there a way to detect whehter a server is set to NTLM-only before doing the grinding? Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- smb-brute: Case sensitive passwords Ron (Feb 07)
- Re: smb-brute: Case sensitive passwords Fyodor (Feb 07)
- Re: smb-brute: Case sensitive passwords Ron (Feb 07)
- Re: smb-brute: Case sensitive passwords Fyodor (Feb 07)