RRe: RFC on Ncrack, A new network authentication cracker

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 1 May 2009 17:31:50 +1000 or thereabouts Professor 0110
<professor0110 () gmail com> wrote:

> I think this is a great idea.
>
> I was also wondering if Nmap will ever integrate Nessus and
> Metasploit like capabilities into it. Maybe not necessarily put as
> part of the Nmap Framework - like Ncrack - but developed by the Nmap
> team.

I'd say that with NSE Nmap has the capability.  Not only does it take a
lot of hard work to develop exploits and checks for security
vulnerabilities, it takes people with talent specific in those areas.
The thing Nessus and Metasploit really have going for them is the
developer talent to come up with and implement so many complicated
checks and exploits.

I think scripts like Ron's smb-* are a perfect example of how Nmap can
be used to do Nessus and Metasploit-like things.

We need to change the perception that the best way to code up exploits,
PoC code, and checks it to turn to Python+scapy or a Metasploit
module.  We need anybody thinking about writing a stand-alone scanner
for some vulnerability (like the Conficker scanner) to think of Nmap as
the fastest, easiest, and most portable way to bring a tool to the
masses.

We're already starting to change people's perceptions.  I think a lot
of people had no idea NSE existed until Ron ported the Conficker
scanning routines to NSE.

We can help this along by porting any open code that could 1) benefit
from NSE's inherent parallelism and 2) benefit from Nmap's exceptional
ability to quickly find services on lots of hosts.

At the risk of being too long-winded, here is an example from my own
experience:

When the RealVNC Auth Bypass vulnerability was discovered I wrote a
check using TCL+Expect+Bash and it was so slow it was barely useful.
My boss then wrote the same check in Java using a bunch of threads.
This was about 10 times faster but used about 100 times as much
memory.  I then wrote the check in perl and had about the same speed as
the Java scanner but wasted far less memory.  I finally ported the
check to a NSE script.  The NSE script uses about the same memory as
the perl check (amortized over many hosts) but is at least 10 times
faster in a default scan and can be made to be hundreds of times faster
with a few Nmap options.  And it is the most accurate of all of the
checks.

The more people that have this sort of experience or hear about things
like this from others the more people will think of Nmap+NSE as a
Nessus/Metasploit alternative/competitor.

In short: we're on the right track.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkn6sSoACgkQqaGPzAsl94JhwwCfZpYaguXB/NDHK9GqfgpMrhLB
TI4An2I5dVbVqlxmw85GmSUsbNt6lf1L
=g4MX
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org