Re: [NSE] new scripts and libraries: http

[David Fifield <david () bamsoftware com>]

On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:
>     x http-brute - performs password guessing against basic authentication
>     x http-form-brute - performs form-based password guessing

http-brute looks good. My first idea was to make it have a default path
of /, but requiring a script argument for that is fine too.

In checking for a successful login, I think that it should do more than
check for a 200 response. A 302 and probably others would be interesting
as well. How about checking for not 4xx and not 5xx? Something like an
IDS may start detecting all the requests and start returning 403, and
that would ideally be detected, but that can wait until we get some
actual reports.

Could the cached credentials in in nmap.registry.credentials.http be
indexed by the domain and realm? My idea is to introduce a more capable
default http.get function that is capable of following redirects and
using cached authentication automatically. If it knows the domain and
realm it can do this just like a web browser.

http-form-brute looks good, just like I would expect. I suspect that
looking for the nonexistence of uservar and passvar in the body will be
more robust than looking for the nonexistence of 'type=\"password\"'.

You can commit these when you like.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/