Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] new scripts and libraries: http

From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 19 Aug 2010 22:54:40 +0200

On 13 aug 2010, at 06.48, David Fifield wrote:


On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:

   x http-brute - performs password guessing against basic authentication
   x http-form-brute - performs form-based password guessing


http-brute looks good. My first idea was to make it have a default path
of /, but requiring a script argument for that is fine too.

In checking for a successful login, I think that it should do more than
check for a 200 response. A 302 and probably others would be interesting
as well. How about checking for not 4xx and not 5xx? Something like an
IDS may start detecting all the requests and start returning 403, and
that would ideally be detected, but that can wait until we get some
actual reports.


Ok I ended up doing:
if ( response.status < 400 or response.status > 599 ) then
        login success ...
end



Could the cached credentials in in nmap.registry.credentials.http be
indexed by the domain and realm? My idea is to introduce a more capable
default http.get function that is capable of following redirects and
using cached authentication automatically. If it knows the domain and
realm it can do this just like a web browser.


I didn't change this because I wanted to check what your thoughts are on implementing a creds.lua library instead.
Now all scripts are in charge of storing their credentials in the registry for other scripts to use.
There is no standard way of doing so. Not even my own scripts use the same place or method.

We could create a library that would basically have a function to store the credentials:
function store_credentials( host, service, username, password, state, info )

We could then have a few different functions to fetch credentials like e.g.
get_credentials_for_service( host, service )
get_credentials_for_host( host )

In addition it would be very easy to write a postrule script that would print all found credentials at the end of a 
scan sorted per host and service.



http-form-brute looks good, just like I would expect.

Thanks!


I suspect that looking for the nonexistence of uservar and passvar in the body will be
more robust than looking for the nonexistence of 'type=\"password\"'.


I've changed this to reflect you suggestion.



You can commit these when you like.


Done, the scripts are in as r19893.
Btw, did you get to the bottom of the theading and mutex bug?



David Fifield



//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: