Nmap Development mailing list archives
Re: [NSE] Duplicate credential storage?
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 19 Feb 2015 22:55:51 -0600
On Mon, Feb 16, 2015 at 4:23 PM, <nnposter () users sourceforge net> wrote:
I have noticed that nmap.registry holds two parallel structures for credentials: "creds" and "credentials". The former is abstracted out through the creds library and the latter is used directly by just a few scripts. Specifically, two scripts (http-brute, and http-form-brute) are populating structure credentials.http, while they also utilize the creds library so they are storing the credentials twice. In the entire script collection only one script (http-domino-enum-passwords) seems to consume the credentials.http structure. I would like to solicit opinions whether the redundancy serves a particular purpose or whether it is just a leftover. In case of the latter, the attached patch converts the one script to use the creds library and retires the credentials.http structure. The patch does not touch script backorifice-brute, which populates registry structure credentials.backorifice, although it would be very easy to do so. As far as I can tell none of the scripts consume credentials.backorifice. It looks like script backorifice-info was meant to but it was not implemented. Cheers, nnposter
This looks indeed to be a leftover. The commit which added the creds library (r24134) made modifications to a lot of scripts, but did not remove any existing storage mechanisms. At that time, only the scripts you noted were using stored credentials of any kind. I'm inclined to take your patch, but I'll wait a few more days to see if any of the original authors has a different idea. Dan
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Duplicate credential storage? nnposter (Feb 16)
- Re: [NSE] Duplicate credential storage? Daniel Miller (Feb 19)