Nmap Development mailing list archives
Re: [NSE] Improved performance of http-default-accounts
From: George Chatzisofroniou <sophron () latthi com>
Date: Sun, 18 Aug 2013 04:41:29 +0300
On Wed, Aug 14, 2013 at 01:28:25AM +0000, nnposter () users sourceforge net wrote:
For any given fingerprint from http-default-accounts-fingerprints script http-default-accounts currently tests corresponding default credentials if at least one of the probe URLs succeeded, namely returned with status other than 404. Some web servers, such as Linksys devices, respond with HTTP/401 even for non-existent URLs. This causes the script to assume that these URLs do exist and to test the credentials, while ideally they should be tested only on those servers where they make sense. The purpose of the attached patches is to reduce unnecessary credential guessing by implementing a new optional fingerprint element, function target_check(), which takes some already collected target information, including a probe URL response, and returns true or false, indicating whether the credential guessing should be attempted or not. All of the current fingerprints have been retrofitted with simple target validations as follows: * If the fingerprint uses native HTTP authentication, validate that the target's realm matches the server type. * If the fingerprint uses form-based authentication, validate that the probe URL returned with HTTP/200 (as opposed to perhaps HTTP/401). When testing against the above-mentioned Linksys the difference was notable: 14 login attempts before the patch versus 1 attempt after the patch.
Thanks. I commited these patches as revision r31899.
This functionality provides opportunity for further improvement by being able to match page content to differentiate between real HTTP/200 and a custom error page. (As of now the script completely skips targets that return HTTP/200 for non-existent pages.)
I added a TODO note for this in http-default-accounts-fingerprints. -- George Chatzisofroniou _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Improved performance of http-default-accounts nnposter (Aug 13)
- Re: [NSE] Improved performance of http-default-accounts George Chatzisofroniou (Aug 17)
- Re: [NSE] Improved performance of http-default-accounts nnposter (Aug 19)
- Re: [NSE] Improved performance of http-default-accounts George Chatzisofroniou (Aug 17)