Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Replacing usernames.lst?

From: Ron <ron () skullsecurity net>
Date: Mon, 22 Mar 2010 13:44:42 -0500
This is a cool project that tracks ssh bruteforcing:
http://0au.de/projects/ssh-failures/

According to his stats, the top 10 usernames people attempt are:
#       User
---------------
50604   root
1798    admin
1243    test
944     nagios
634     a
626     user
620     guest
574     oracle
403     temp
393     ts

Obviously, the bruteforcers don't know much that we don't know, but their list is likely better than ours (although 
they do overlap significantly):
root
admin
administrator
webadmin
sysadmin
netadmin
guest
user
web
test

I'd definitely keep "administrator" from our list. "nagios" and "oracle" are probably promising. 

On Sat, 6 Mar 2010 09:36:38 -0600 Ron <ron () skullsecurity net> wrote:

Since we're discussing passwords.lst, I thought I'd bring up
usernames.lst. In my opinion, its current version isn't especially
useful -- unfortunately, though, it's really hard to generate a
proper username list in advance.

The best way to get a list is to think of protocols that could
generate a list for us and make them dependencies. For example,
smb-enum-users asks the server for a list of usernames, and receives
it. When we have a http-spider.nse someday, we can parse potential
usernames out of its results (I've had great luck with scraping sites
for email addresses and generating user lists from them). 

Off the top of my head I can't think of any other protocols that will
give up a list of users as easily at SMB. Perhaps SNMP has something?
Can anybody think of others?

Once we do, we should look at standardizing where in the registry we
store usernames, and ensure that unpwdb uses that location, if it's
populated, instead of (or in addition to) the real list.

This is one place where Nmap can seriously excel compared to other
brute-forcing tools -- not many tools understand protocols enough to
go through the whole sequence:
1. Discover open ports
2. Probe open ports to get potential usernames
3. Bruteforce to get passwords
4. Use those passwords to get deeper information about the system

But NSE can! 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: