Nmap Development mailing list archives

CouchDB and MongoDB

From: Martin Holst Swende <martin () swende se>
Date: Wed, 03 Feb 2010 22:07:03 +0100

Hi,

I have now implemented the following :
- json.lua is heavily reworked (and now according to specs :)) - except
for Unicode collapsing into UTF-8, which is not done. If you have any
good pointers on how to do that it is welcome. There is an issue with js
null vs lua nil (which are different - lua nil is more like javascript
undefined), which forced me to introduce json.NULL - more info about
that is found in the code.
- Both mongodb-scripts and couchdb scripts reports service version back
to nmap.
-- However, couchdb as it is in the matchlines matches as "httpd". I'm
not saying that is wrong, since http is the protocol used, but it may be
misleading. Can it somehow be both? (There is an html web-interface for
couchdb on http://localhost:5984/_utils/ , which other http-scripts
could be interested in). One snag is that the portrule for couchdb
should really not use "httpd" to match against, since it will give a lot
of false positives - which means that the portrule must match on port
only, and miss couchdb:s on other ports. So, maybe that should be
changed to 'couchdb' ? Or, how should I set the portrule?
- Made json, mongo and couch a bit less verbose.

Attaching the files (but also available from
http://martin.swende.se/hgwebdir.cgi/nsescripts/)

Also, I have been looking a bit at bruteforcing, and have the following
suggestion for a function which maybe could be added to unpwd, so that
iterating can be done on a concatenation of both the passwords and
arbitrary lists - usernames, hostnames, service names etc:

--- Iterator that iterates over a table and another closure
-- Usage
-- for element in concat_iterate({"a","b"},try{unpwdb.usernames()}) do
-- print(element)
-- end
function concat_iterate (t1,t2)
    local i = 0
    -- reset the other iterator here
    t2('reset')
    local n = table.getn(t1)
    local f = function ()
        i = i + 1
        if i <= n then
            return t1[i]
        end
        return t2(n-i)
    end
    return f
end
function test()
     _,usernames = unpwdb.usernames()
    _,passwords = unpwdb.passwords()   
    for username in usernames do
        for password in concat_iterate({username},passwords) do
            stdnse.print_debug( string.format("Trying %s/%s ...",
username, password ) )
        end
        --iterator("reset") Not needed anymore
    end
end
test()

Regards,
/Martin

Attachment: couchdb.tar.gz
Description:

Attachment: mongodb.tar.gz
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

MongoDB scripts Martin Holst Swende (Jan 19)
- Re: MongoDB scripts David Fifield (Jan 25)
  - Re: MongoDB scripts Martin Holst Swende (Jan 25)
    - Re: MongoDB scripts Martin Holst Swende (Jan 27)
    - Re: MongoDB scripts David Fifield (Jan 29)
    - Re: CouchDB scripts David Fifield (Jan 29)
    - Re: CouchDB scripts Martin Holst Swende (Jan 31)
    - Re: CouchDB scripts David Fifield (Feb 01)
    - Re: CouchDB scripts David Fifield (Feb 01)
    - CouchDB and MongoDB Martin Holst Swende (Feb 03)
    - Re: CouchDB and MongoDB David Fifield (Feb 15)
    - Re: CouchDB and MongoDB Martin Holst Swende (Feb 22)
    - Re: CouchDB and MongoDB David Fifield (Feb 23)
    - Re: CouchDB and MongoDB Martin Holst Swende (Feb 27)
    - Re: CouchDB and MongoDB David Fifield (Feb 28)
    - Re: CouchDB and MongoDB Patrick Donnelly (Feb 28)
    - Re: CouchDB and MongoDB Martin Holst Swende (Mar 01)
    - Re: CouchDB and MongoDB Patrick Donnelly (Mar 01)
    - Lua and LPeg David Fifield (Mar 05)
    - Re: Lua and LPeg Patrick Donnelly (Mar 05)

(Thread continues...)