Re: [NSE] Duplicate credential storage?

[Daniel Miller <bonsaiviking () gmail com>]

On Mon, Feb 16, 2015 at 4:23 PM, <nnposter () users sourceforge net> wrote:

> I have noticed that nmap.registry holds two parallel structures for
> credentials: "creds" and "credentials". The former is abstracted out
> through the creds library and the latter is used directly by just a few
> scripts.
>
> Specifically, two scripts (http-brute, and http-form-brute) are
> populating structure credentials.http, while they also utilize the creds
> library so they are storing the credentials twice. In the entire script
> collection only one script (http-domino-enum-passwords) seems to consume
> the credentials.http structure.
>
> I would like to solicit opinions whether the redundancy serves a
> particular purpose or whether it is just a leftover. In case of the
> latter, the attached patch converts the one script to use the creds
> library and retires the credentials.http structure.
>
> The patch does not touch script backorifice-brute, which populates
> registry structure credentials.backorifice, although it would be very
> easy to do so. As far as I can tell none of the scripts consume
> credentials.backorifice. It looks like script backorifice-info was meant
> to but it was not implemented.
>
>
> Cheers,
> nnposter

This looks indeed to be a leftover. The commit which added the creds
library (r24134) made modifications to a lot of scripts, but did not remove
any existing storage mechanisms. At that time, only the scripts you noted
were using stored credentials of any kind. I'm inclined to take your patch,
but I'll wait a few more days to see if any of the original authors has a
different idea.

Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/