Re: Default time limits for unpwdb

[David Fifield <david () bamsoftware com>]

On Tue, Mar 23, 2010 at 12:45:06PM -0500, Ron wrote:
> On Tue, 23 Mar 2010 11:23:46 -0600 David Fifield
> <david () bamsoftware com> wrote:
> > Here's another patch that adds these script arguments:
> >
> > -- @args unpwdb.userlimit The maximum number of usernames
> > --                        <code>usernames</code> will return
> > --                        (default unlimited).
> > -- @args unpwdb.passlimit The maximum number of passwords
> > --                        <code>passwords</code> will return
> > --                        (default unlimited).
> > -- @args unpwdb.timelimit The maximum amount of time (in seconds)
> > that any
> > --                        iterator will run before stopping.
> >
> > Does it look good? If so I can commit it today. The next step is to
> > increase the size of passwords.lst, so scripts that want to go into
> > more depth can do so.
>
> I haven't looked at the code, but the concept is sound. As long as it
> defaults to some kind of limit, we can probably make the list
> arbitrarily long. As we sort of mentioned, some protocols are fast
> (SMB is bruteforced fast++), and some are slow (vsftpd forces a 2
> second delay between attempts). For that reason, I think time is more
> important. 

I committed this, and increased the size of the password database to
5000. I hope that this won't have any unexpected effects (scripts taking
up to the time of the time limit when they would not have before).

The default time limits come from the unpwdb.timelimit function. They
depend on the timing template level.

-T3 or lower: 10 minutes
-T4:           5 minutes
-T5:           3 minutes

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/