Nmap Development mailing list archives
Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 11 Nov 2011 19:27:29 +0100
On Fri, Nov 11, 2011 at 6:54 AM, Patrik Karlsson <patrik () cqure net> wrote:
On Thu, Nov 10, 2011 at 11:49 PM, Vlatko Kosturjak <kost () linux hr> wrote:On Thu, Nov 10, 2011 at 11:25:53PM +0100, Patrik Karlsson wrote:I've tested, modified and committed two scripts so far. I experienced the same problem with the openvas-otp-brute script that Isawwith Nessus. If you let it run for a while, it will fail due to "To many retries, aborted ..." These are the scripts and changes I committed: * metasploit-xmlrpc-brute (r27059) - Guess password only, the username is always msf./msfrpcd -h Usage: msfrpcd <options> OPTIONS: -P <opt> Specify the password to access msfrpcd -S Disable SSL on the RPC socket -U <opt> Specify the username to access msfrpcd Hope it helps, -- Vlatko Kosturjak - KoStThanks for the catch, and sorry about that. I've re-enabled username support in r27060. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77
Hi Kost, The attached patch contains some cleanup of the nexpose-brute script. Before I commit it though I wanted to get some opinions from the list in regards to account lockout. In general I haven't bothered too much with account lockout before, but Nexpose locks accounts after 4 incorrect attempts per default. In the community edition I have been testing it against, I can't get back in without restarting the as the only account I have gets locked. So, my question is, do we need to address this in some way, limiting the amount of tries to 3 per account and allowing the user to force more attempts through a script argument? Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77
Attachment:
nexpose-brute.patch
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 09)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 09)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 10)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 10)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 10)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 10)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 11)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 11)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 13)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 17)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 10)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 09)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 11)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Henri Doreau (Nov 14)