Replacing usernames.lst?

[Ron <ron () skullsecurity net>]

Since we're discussing passwords.lst, I thought I'd bring up usernames.lst. In my opinion, its current version isn't 
especially useful -- unfortunately, though, it's really hard to generate a proper username list in advance.

The best way to get a list is to think of protocols that could generate a list for us and make them dependencies. For 
example, smb-enum-users asks the server for a list of usernames, and receives it. When we have a http-spider.nse 
someday, we can parse potential usernames out of its results (I've had great luck with scraping sites for email 
addresses and generating user lists from them). 

Off the top of my head I can't think of any other protocols that will give up a list of users as easily at SMB. Perhaps 
SNMP has something? Can anybody think of others?

Once we do, we should look at standardizing where in the registry we store usernames, and ensure that unpwdb uses that 
location, if it's populated, instead of (or in addition to) the real list.

This is one place where Nmap can seriously excel compared to other brute-forcing tools -- not many tools understand 
protocols enough to go through the whole sequence:
1. Discover open ports
2. Probe open ports to get potential usernames
3. Bruteforce to get passwords
4. Use those passwords to get deeper information about the system

But NSE can! 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/