Re: HTTP Brute Force NSE script

[João <3rd.box () gmail com>]

Hey David, thanks a lot for the feedback.

On Wed, Apr 1, 2009 at 11:57 AM, David Fifield <david () bamsoftware com> wrote:
> On Wed, Apr 01, 2009 at 04:13:07AM -0300, João wrote:
> > Today I was studying about coding in NSE and for such task I've tried
> > to develop a simple script. I've based myself in the other scripts
> > that are available with nmap and I've written a small script for
> > performing HTTP Brute Forcing based on wordlists.
> >
> > Of course it is very slow by now. I've used only functions that are
> > already done in nselib. Soon I'll try to write a few more functions to
> > improve performance (such as pipelined http requests).
>
> Thanks João, this script looks very well written. Were you aware of the
> http-auth.nse script (http://nmap.org/nsedoc/scripts/http-auth.html)? It
> seems to do almost exactly the same thing. Maybe you can comment on
> advantages each script has over the other?
Yes. Actually I've used http-auth.nse as a reference for the
authorization requests. http-auth-nse only checks if the server
requires authorization and attempts two pairs of login/password. The
script I've written collects pairs from files with usernames and
passwords. The basic advantage is having files for that, and not
keeping the data inside the script.

As I'm a GSoC aspirant, I've decided to learn NSE as fast as possible.
The script I've written was kind of a "Hello World" for me and NSE. I
know that it is not the best one and that it can be improved in many
ways. The point of developing it was only "scientific". Even because
it is to slow for daily use. Anyway, I'm very glad because it provided
some good lessons about NSE and because I'm getting this awesome
feedback now.

> We had a patch submitted to add MD5 authentication to http-auth.nse, but
> it needed some work and we haven't seen an updated copy.
>
> http://seclists.org/nmap-dev/2008/q4/0603.html
> http://seclists.org/nmap-dev/2009/q1/0151.html
That's great, I'll take a look and see if I can help!

> > For the script work properly, the user is supposed to have two
> > wordlists on the same dir as the script. The files are passwords.lst
> > and usernames.lst, and they both have a list of usernames and
> > passwords (kind of obvious :-).
>
> For user name and password guessing the preferred approach is to use the
> unpwdb module.
>
> http://nmap.org/nsedoc/modules/unpwdb.html
Yeah, I didn't noticed about unpwdb. I can say that developing the
file reading and parsing was the least funny part. At least it was a
good experience. I'll rewrite the script soon, using unpwdb, but first
there are some other things I want to take care of (like finding a way
to perform requests in parallel to improve performance).

> However I have resisted adding new authentication credentials to
> http-auth.nse because while it's easy to just add a load of passwords,
> all they do is slow a scan down unless they are passwords that are
> actually used. I would prefer to see a list of credentials that is
> tailored for HTTP services, such as default passwords for weblog
> software and home router admin pages, with numbers giving a general idea
> of how often they are used.
Yes. I agree with you about having a good wordlist. Anyway, Ron have
already said that he is working on it.

> David Fifield

Thanks a lot David,

João

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org