Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Valid usernames but no password with Creds library

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Thu, 7 Jul 2011 18:08:29 +0300
If we know the user names, would it not make sense for brute scripts
to try passwords for those user names rather than generic user names?
Does that currently happen? How should that work?

On Thu, Jul 7, 2011 at 1:47 PM, Patrik Karlsson <patrik () cqure net> wrote:


On Jul 7, 2011, at 9:05 AM, Paulino Calderon wrote:


Hi Patrik,
   I'm updating scripts to use your credentials library and I'm wondering what are your thoughts about adding valid 
usernames even when we don't have a password. Right now, there is not a way to differentiate when a password is 
blank and when we don't have one since both show the string "<empty>". How do you guys think we should address this? 
Or do you think we shouldn't add credentials to the table if we don't have both a username and password?

Ps. I'm ccing this to nmap-dev for future reference.

Cheers.

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon




Hi Paulino,

I'm guessing that these valid usernames come from some of the enumeration scripts?
I see the credential library (database) as two things:
1. storage for discovered credentials, that can be used for consistent output in script results (eg. "Account locked" 
etc.)
2. storage for discovered credentials, that can be queried from other scripts to get known, valid credentials

For case 1, I guess it could make sense to output even discovered user names, in this case we need to find a way to 
distinguish them from discovered credentials
For me personally, I would probably want them in a separate "section" and not mixed together with discovered 
credentials.

For case 2, I wouldn't wan't them mixed with the discovered or parameter supplied credentials.
Here, I think it would probably make sense assigning them their own State, maybe KNOWN_USER/VALID_USER or whatever.
In this case, they can be queried by using the state mask in getCredentials if someone wishes to do that.

I'm guessing a valid use case for 2 could be:
sip-enum-users -> store discovered users to creds library (eg. add("1000",nil, creds.State.KNOWN_USER) )
sip-brute -> gets discovered users (eg. getCredentials(creds.State.KNOWN_USER + creds.State.VALID) )

Does that make sense?

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: