Default time limits for unpwdb

[David Fifield <david () bamsoftware com>]

The unpwdb library has a unpwdb.timelimit function that suggests how
long password brute-forcing should go on.

http://nmap.org/nsedoc/lib/unpwdb.html#timelimit

A problem is that it is up to the script to enforce the limit. Most
brute scripts don't do it. They keep running until they're exhausted
every credential. They can take an unexpectedly long time if tarpitted
or if the service is just slow.

I propose with the attached patch to add default time limits to the
username and password iterators, so that they start returning nil after
they run out of time. The default time limit would be the return value
of unpwdb.timelimit, or you can specify a limit directly. A limit of 0
means to disable the time limit.

This would allow us to use a bigger password list without worrying about
how it's going to slow down the brute scripts. Scripts wouldn't need any
modification.

David Fifield

Attachment: unpwdb-timelimit.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/