Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: multiple users check with http-auth script

From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 19 Jan 2012 01:33:26 +0100
On Tue, Jan 17, 2012 at 9:01 PM, Dino Tesic <cadavir () gmail com> wrote:


Hello Folks

I need some help!
I'm using nmap 5.51 and I'm wondering is there any chance to force
"http-auth" script to go thru all accounts in authcombination before
quiting.

Let's say for example there is test-server with multiple accounts:

test:test - restricted account for testing connection
user:user - restricted account with ability to view all settings (but
no modification permission)
admin:admin - admin account without any restriction

I'm using this list (for possible auth-combination) to detect valid users

 local authcombinations= {
   { username = "admin", password = ""},
   { username = "admin", password = "admin"},
   { username = "admin", password = "nimda"},
   { username = "admin", password = "router"},
   { username = "user", password = "user"},
   { username = "root", password = "admin"},
   { username = "test", password = "test"},
 }

but everytime it matches one valid account next account in the list
will be ignored, and what is more confusing it prints all other
accounts in the list after matching one.

when admin:admin account is valid it will print:
HTTP server may accept admin:admin combination for Basic authentication.
HTTP server may accept admin:nimda combination for Basic authentication.
HTTP server may accept admin:router combination for Basic authentication.
HTTP server may accept user:user combination for Basic authentication.
HTTP server may accept root:admin combination for Basic authentication.
HTTP server may accept test:test combination for Basic authentication.

... BUT only first one is checked and valid ...

if user:user account is valid it will print:
HTTP server may accept user:user combination for Basic authentication.
HTTP server may accept root:admin combination for Basic authentication.
HTTP server may accept test:test combination for Basic authentication.

and so on...


is there any way to fix this?

thanks
Dino
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



Hi Dino,

Have you modified the http-auth script to check for valid users, or did you
actually mean the http-brute script?
If you've modified the http-auth script my best guess is that your doing
the requests without disabling http caching.
That would exhibit the behavior your seeing. In case your using the
http-brute script, please try running in debug mode and see if you get any
more clues to why it's behaving the way your describing, which it shouldn't.

Cheers,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: