Re: Out of Memory

[Daniel Miller <bonsaiviking () gmail com>]

Hello, and thanks for this bug report.

Nmap's brute-force authentication scripts tend to slurp the entire wordlist
into a table data structure and then iterate over that. This makes for
simple, fast code for most purposes, but it may not be the best approach
for larger wordlists. The smaller CrackStation wordlist of "real human"
passwords is 64 million passwords. That's a lot of passwords! According to
[1], if we assume each string is 8 characters on average, we'd have:

(24 + 8)*64M = 2048M or 2GB of memory just from strings
16*64M = 1024M or 1GB of memory for the table data structure.

But also consider how long it might take to iterate 64 million passwords. A
minimum bound would at least be the time it takes to transfer that half a
gigabyte of string data, but you'll also have protocol data, server
processing time, etc. Generally, a service is not going to tolerate 64
million sequential login attempts.

That said, we'd be glad to see a patch that reads from disk instead,
perhaps implemented as an option when the count gets too high.

Dan

On Thu, Dec 3, 2015 at 11:30 AM, . . <seattleitguy () outlook com> wrote:

> I am trying to use the telnet-brute script using crackstation's smaller
> and larger password lists. I keep getting an out of memory error.
>
> I am using Windows 10 with the latest version of Nmap (7.0.0).
>
> Command:
> nmap -p 2601 -d --script +telnet-brute --script-args
> passdb=/pwd/cshuman.txt,brute.retries=2 192.168.0.1
>
> Here is the debug:
>
> Starting Nmap 7.00 ( https://nmap.org ) at 2015-12-03 09:27 Pacific
> Standard Time
>
> Winpcap present, dynamic linked to: WinPcap version 4.1.3 (packet.dll
> version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b
> (20091008)
>
> --------------- Timing report ---------------
>
>   hostgroups: min 1, max 100000
>
>   rtt-timeouts: init 1000, min 100, max 10000
>
>   max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
>
>   parallelism: min 0, max 0
>
>   max-retries: 10, host-timeout: 0
>
>   min-rate: 0, max-rate: 0
>
> ---------------------------------------------
>
> NSE: Using Lua 5.2.
>
> NSE: Arguments from CLI: passdb=/pwd/cshuman.txt,brute.retries=2
>
> NSE: Arguments parsed: passdb=/pwd/cshuman.txt,brute.retries=2
>
> NSE: Loaded 1 scripts for scanning.
>
> NSE: Script Pre-scanning.
>
> NSE: Starting runlevel 1 (of 1) scan.
>
> Initiating NSE at 09:27
>
> Completed NSE at 09:27, 0.00s elapsed
>
> Initiating ARP Ping Scan at 09:27
>
> Scanning 192.168.0.1 [1 port]
>
> Packet capture filter (device eth0): arp and arp[18:4] = 0xC8600075 and
> arp[22:2] = 0xF715
>
> Completed ARP Ping Scan at 09:27, 0.13s elapsed (1 total hosts)
>
> Overall sending rates: 7.87 packets / s, 330.71 bytes / s.
>
> DNS resolution of 1 IPs took 0.39s. Mode: Async [#: 0, OK: 0, NX: 0, DR:
> 0, SF: 0, TR: 0, CN: 0]
>
> Initiating SYN Stealth Scan at 09:27
>
> Scanning 192.168.0.1 [1 port]
>
> Packet capture filter (device eth0): dst host 192.168.0.21 and (icmp or
> icmp6 or ((tcp or udp or sctp) and (src host 192.168.0.1)))
>
> Discovered open port 2601/tcp on 192.168.0.1
>
> Completed SYN Stealth Scan at 09:27, 0.01s elapsed (1 total ports)
>
> Overall sending rates: 200.00 packets / s, 8800.00 bytes / s.
>
> NSE: Script scanning 192.168.0.1.
>
> NSE: Starting runlevel 1 (of 1) scan.
>
> Initiating NSE at 09:27
>
> NSE: Starting telnet-brute against 192.168.0.1:2601.
>
> NSE: telnet-brute against 192.168.0.1:2601 threw an error!
>
> not enough memory
>
> stack traceback:
>
>     C:\Program Files (x86)\Nmap/nselib/unpwdb.lua:114: in function
> 'filltable'
>
>     C:\Program Files (x86)\Nmap/nselib/unpwdb.lua:206: in function
> 'passwords_raw'
>
>     C:\Program Files (x86)\Nmap/nselib/unpwdb.lua:278: in function
> 'passwords'
>
>     C:\Program Files (x86)\Nmap/nselib/brute.lua:754: in function
> 'passwords_iterator'
>
>     C:\Program Files (x86)\Nmap/nselib/brute.lua:376: in function 'new'
>
>     C:\Program Files (x86)\Nmap/scripts\telnet-brute.nse:683: in function
> <C:\Program Files (x86)\Nmap/scripts\telnet-brute.nse:670>
>
>     (...tail calls...)
>
>
>
> Completed NSE at 09:27, 52.59s elapsed
>
> Nmap scan report for 192.168.0.1
>
> mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is
> disabled. Try using --system-dns or specify valid servers with --dns-servers
>
> Host is up, received arp-response (0.0059s latency).
>
> Scanned at 2015-12-03 09:27:06 Pacific Standard Time for 53s
>
> PORT     STATE SERVICE REASON
>
> 2601/tcp open  zebra   syn-ack ttl 64
>
> Final times for host: srtt: 5875 rttvar: 4750  to: 100000
>
>
>
> NSE: Script Post-scanning.
>
> NSE: Starting runlevel 1 (of 1) scan.
>
> Initiating NSE at 09:28
>
> Completed NSE at 09:28, 0.00s elapsed
>
> Read from C:\Program Files (x86)\Nmap: nmap-mac-prefixes nmap-payloads
> nmap-services.
>
> Nmap done: 1 IP address (1 host up) scanned in 71.62 seconds
>
>            Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
>
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/