Re: ftp-brute.nse overhaul

[Fyodor <fyodor () insecure org>]

On Fri, Sep 18, 2009 at 02:54:34PM -0500, Ron wrote:
> Hi all,
>
> I was investigating a way to improve the ftp scripts today, when I 
> noticed that ftp-brute.nse was only checking one account. So, as I love 
> doing, I took it apart and put it back together. Now it uses the unpwdb 
> database.

Thanks Ron!

> I ran into an issue that I was hoping somebody could test on other 
> servers and give opinions on: vsftp responds *very* slowly (about 1 
> second/request), so to run through all 2000 combinations of 
> usernames/passwords would take hours. For that reason, for now, I 
> artificially limited the checks to the first 10 usernames + passwords 
> (with a script-arg to increase that).

Authentication cracking in general can take a long time to finish.  I
doubt I'm the only one here who has had crackers running for months on
end.  I don't think 2,000 combinations is an unreasonable number by
default.  Limiting it to trying just 10 users x 10 passwords makes the
script go fast, but only because it isn't doing much.  I also worry
that it could give a false sense of security to people who assume that
it is doing a more thorough check.  I am glad you added the limits,
but I think 10x10 is too small.  Now if we can speed up the cracking
process itself (rather than just reducing the number of credentials
tried), that would be delightful.  We will probably start sharing the
Ncrack user/pass DB (or at least a subset of it) with Nmap soon.

> * Is this the case on servers besides vsftp as well? If other servers 
> are faster, I'll add some code to detect the behaviour and change the limits

One idea is to base the limits on time directly (e.g. crack by default
for 1 hour or until the usernames/passwords run out).

> * Is this an acceptable solution? Or does somebody have a better way of 
> doing it?

I agree that we need some default limits, whether they be based on
elapsed time, number of credentials tried, or both.

> * Should this type of function be built right into unpwdb, or done on a 
> per-script basis? I'd like to revamp unpwdb at some point

I think building this into unpwdb would be ideal.  That allows for
arguments to be shared between our "auth" scripts, and avoids
duplicating the time/credential limitation code.  If possible, it
would be nice if users could also specify per-script arguments in case
they want to set different limits for different scripts.

> * Would this be a case to experiment with multi-threaded scripts? Does 
> that capability exist yet? (I haven't looked into Lua threading)

We talked about this idea during SoC and Patrick had some
implementation ideas.  The main goal was indeed to make the "auth"
scripts faster.  Patrick, can you tell us more about where we stand in
this respect?  I tend to recall that we weren't too far from being
able to do this.

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org