Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Request for feedback on account status reported by *-brute scripts

From: Tom Sellers <nmap () fadedcode net>
Date: Sun, 11 Sep 2011 16:18:49 -0500
On 9/11/2011 1:40 PM, Patrik Karlsson wrote:

Hi Tom,

I'm traveling at the moment and haven't had time to look at your changes. One think came to mind though, in regard to 
locked accounts; In oracle, if an account is locked the server will respond with account locked, regardless of 
whether the password is correct or not. This would make the change from "account locked" to "valid credentials, 
account locked" inaccurate. I'm not sure whether there are more services that behave this way among the changed ones.

Cheers,
Patrik

Sent from my iPhone




Thanks for pointing that out Patrik.  I am about to commit the changes to 'creds.lua' for this effort and I have
made the following adjustments to address the issue you brought up:

1. Left the response text for State.Valid and State.Locked as the original strings.
2. Added two new values  State.Locked_Valid  & State.Disabled_Valid

I will go back through the scripts and change the ones where I now the account validity can be determined.
I will correct the example text on those that I do not know to reflect the original text.  All other functionality
should be as it was prior to the changes to the strings.

Thanks much,
Tom
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: