Nmap Development mailing list archives
Re: HTTP Brute Force NSE script
From: Ron <ron () skullsecurity net>
Date: Wed, 01 Apr 2009 10:20:32 -0500
David Fifield wrote:
For user name and password guessing the preferred approach is to use the unpwdb module. http://nmap.org/nsedoc/modules/unpwdb.html However I have resisted adding new authentication credentials to http-auth.nse because while it's easy to just add a load of passwords, all they do is slow a scan down unless they are passwords that are actually used. I would prefer to see a list of credentials that is tailored for HTTP services, such as default passwords for weblog software and home router admin pages, with numbers giving a general idea of how often they are used. David Fifield
unpwdb is definitely the way to go. I'm hoping to improve it in the future, by adding (optional) features for modifying passwords (adding characters to the end, etc). Maybe we can have a separate "default password" list, too?
Me and Brandon have been working on improving password lists (mostly Brandon -- all I've been doing is collecting lists). Basically, collecting stats on the most common passwords/password forms, and we will hopefully be able to integrate the new knowledge into unpwdb.
Ron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- HTTP Brute Force NSE script João (Apr 01)
- Re: HTTP Brute Force NSE script David Fifield (Apr 01)
- Re: HTTP Brute Force NSE script Ron (Apr 01)
- Re: HTTP Brute Force NSE script João (Apr 01)
- Re: HTTP Brute Force NSE script Thomas Buchanan (Apr 02)
- Re: HTTP Brute Force NSE script David Fifield (Apr 01)