Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Replacing usernames.lst?

From: Ron <ron () skullsecurity net>
Date: Sat, 6 Mar 2010 13:57:02 -0600
On Sat, 6 Mar 2010 20:44:21 +0100 Patrik Karlsson <patrik () cqure net>
wrote:

There are also protocols and implementations that won't allow you to
list all accounts at once but do allow you to determine if an account
is valid or not. Some cases even allow you to do this without the
"cost" of an invalid login attempt eg. Kerberos [1]. Maybe some sort
of collector script with a larger usernames.lst could be run against
such services?

Hmm, that's a great idea! Right now, I implement that type of thing in smb-brute, since SMB will, in some cases, tell 
you that you have a bad username. I could see that being an extra step:

1. Discover open ports
2. Probe open ports to get potential usernames, combine it with the default list
3. Pare down the list using services that allow verification <-- New!
4. Bruteforce to get passwords
5. Use those passwords to get deeper information about the system

My smb-* scripts already do a lot of that -- in fact, points 2, 3, and 4 are all done in smb-brute.nse right now. It'd 
be great to standardize the process and break smb-brute.nse into its pieces, then we can leverage other services to do 
the same, as you suggested. 





Once we do, we should look at standardizing where in the registry
we store usernames, and ensure that unpwdb uses that location, if
it's populated, instead of (or in addition to) the real list.

This is one place where Nmap can seriously excel compared to other
brute-forcing tools -- not many tools understand protocols enough
to go through the whole sequence:
1. Discover open ports
2. Probe open ports to get potential usernames
3. Bruteforce to get passwords
4. Use those passwords to get deeper information about the system

But NSE can! 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



[1] http://www.cqure.net/wp/krbguess/

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: