Re: [NSE] DB2 library and scripts

[Fyodor <fyodor () insecure org>]

On Mon, May 10, 2010 at 05:03:50PM +0200, Patrik Karlsson wrote:
> Here's an updated threaded version of the db2-brute script. It seems to run well and quickly against my test systems.
> I failed to get condvar("signal") to work, as in the example, and had to switch to condvar("broadcast") instead.
> Can someone provide some insight into why this happens and to what I'm doing wrong?
> Also, the mutex I'm using to create and add to the nmap.registry.db2users table, is it necessary, and if it is, is it 
> implemented correctly?
>
> Testing, feedback, suggestions and comments are welcome as always.

Thanks Patrik.  This is an exciting script as it would be the first to
use NSE's threading system for parallelization.  That also means it is
extra-important to get it right, as it will likely serve as a template
and standard for future parallelized scripts.  If it works really
well, we might convert the other 11 brute scripts.

I don't have a DB2 instance to test on, but have you done any
benchmarking before and after the change?  It would be interesting to
see how the number of authentication attempts per second is scaling.

This script seems to dedicate a thread per username.  That works great
if you have at least 10 (or db2-brute.threads) usernames, but it means
you lose the parallelization if you are only testing against one
username.  I can see that as being a common case.  For example, I
sometimes get database host names and usernames from web application
error messages, but they usually don't print the password.  That would
be a perfect setup for a db2-brute run against a single username.
Also, this structure forces a somewhat unusual ordering on the
authentication attempts.  Users might want to try all the passwords
for one username before going to the next, or they might want to
iterate the username list for each password in order.  Ncrack does the
latter by default, but also offers --passwords-first for the former
approach.

So maybe it would be best if you have a bunch of doLogin() threads
like you do now, but rather than give each one responsibility for a
whole username, you have doLogin() call a function which obtains the
next desired user/pass pair using unpw iterators.

It looks like the function takes an argument db2-auth.dbname which
should be mentioned in the NSEDoc.  I'm not certain if you chose
db2-auth because that is a good name to share the argument with other
scripts/libraries in the future, or if you changed the script name
from db2-auth to db2-brute and didn't update the argument.

Hopefully Patrick can answer your questions about condvar "signal" and
whether you need a mutex with the db2users table.

It would be interesting to do some benchmarking of Ncrack and NSE
brute scripts against the same services on the same targets (but not
at exactly the same time).  I think that could help both systems
improve.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/