Re: Ncrack command-line interface overview

[ithilgore <ithilgore.ryu.l () gmail com>]

ithilgore wrote:
> ====== Module Argument Specification ======
>
> Another issue is how each service module will take its arguments. Each module
> might need to take arguments that are either unique to it based on the
> particular service it handles (e.g http module needs to take a url) or arguments
> that have to do with general timing options like maximum connections per minute
> / maximum login attempts per minute.
>
> This hasn't been implemented yet so I am awaiting for your suggestions. One idea
> is to specify it like this:
>
> $ ncrack scanme.nmap.org -p ssh,80 -m http:c6,l8,url://main.html -m ssh:c7,t10
>
> Where -m is the module argument switch, cX are the connection attempts per
> minute (or another time measurement unit), lX are the login attempts per minute
> (both can be applied to all modules) and url:// specifies the url for the http
> module only.
>
> Of course, module arguments will be applied to every host that has selected the
> particular service for cracking.
>
>
> -- ithilgore

An issue with the above approach is that since module arguments are applied to
all hosts, we cannot differentiate between unique host-specific arguments. One
example is when we want to provide different url paths for the http module to
attack 2 different web servers. To solve that we could allow url paths to be
inserted next to hostnames to accommodate for this problem. Then it would go
like this:

$ ncrack scanme.nmap.org/main.html www.google.com/foo.html -m http:c7

And since we've added url paths, it would enable the http module by default even
if we didn't specify it explicitly in the command-line.
However, if the above scheme is implemented, then we will probably have to
remove netmask functionality in host specification (inherited by Nmap) since it
uses a / to define it (cidr notation)


In general, do you think that it is important to allow for unique host-specific
arguments? The best way to do it cleanly is completely change the current
implementation and go with a url-like scheme which goes like this (Fyodor
already suggested it in a conversation we recently had):

$ ncrack ssh://scanme.nmap.org:2000,c8,l10 http://scanme.nmap.org/main.html,c10
ssh://10.0.0.10 ftp://10.0.0.10:999,c8

You can notice that the above approach perfectly allows specifying
host-and-service-specific arguments for a unique differentiation between everything.

However, if we do implement that, then

1) we lose the benefit of Nmap's notation for multiple hosts (although it could
be perhaps supported up to a point: imagine specifying something like this:
$ ncrack ssh://10.0.0.*,c8
and it will crack ssh for all 10.0.0.1-254 hosts.
However using cidr notation will again be a problem for http url paths.

2) the user will have to specify too many times the same thing if he wants to
crack different services for the same host and even more times if he wants to
crack different services for many different hosts


Having seen the above, it would be best if we conclude to the final resolution
this time, since we now have the complete picture of what might be needed.

Waiting to hear your suggestions,
ithilgore








_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org