Nmap Development mailing list archives
Sergey. [Status report 03/17]
From: Sergey Khegay <g.sergeykhegay () gmail com>
Date: Tue, 17 May 2016 02:06:52 -0400
[Report 03/17]
Hello Nmap Community,
Accomplishments:
- Absolute failure on the first improvement approach. Let me describe.
So far I test my approach on ftp-brute script. I modified the script
according to a new API that I implemented in the brute.lua.
Environment. For testing purposes I use
- Ubuntu virtual machine
- vsftpd - ftp server daemon
- I limited the number of connections from an IP to 5. So you can
have at most 5 parallel connections from a single IP. If you
happen to have more, the ftp server will reply with code 421 "There
are too many connections from your internet address"
- A list of usernames - 2 entries, including valid one
- A list of passswords - 40 entries, including valid one
- So total of 80 pairs of credentials.
Approach:
If the status of some action (connect or login) is false, brute.lua
expects to receive 3 return values: status, response, report (as
opposed to only two in the initial implementation).
New return value, report, if present, contains the last credential
that were attempted to be used but were not. The structure of report:
{
cmd: "decrease", -- The command to the engine, probably
-- useless as we will try to increase
-- after successful attempts.
limit_to: <integer>, -- If the protocol specifies the maximum
-- allowed number of parallel connections
creds: { -- The credentials that we used when the
username: "<username>", -- error occurred
password: "<password>",
},
}
If report is nil, then the engine works as it worked before, otherwise
it adds the credentials in the report to the retry list and lets the
coroutine that got the error die. Thus every error decreases the
number of running coroutines by 1. (I should try to decrease more
aggressively, but I have not come up with a good idea yet.)
If there were no errors between two consecutive runs of the base
thread, then the number of coroutines is increased by 1.
In this draft implementation I assumed that ftp-brute always wants
the brute library to run in the adaptable mode described above. So
for old script the engine should work as it did before. (This can be
done by requiring a specific function implementation in the
bruteforcing script.)
Problems:
- Probably because the server updates the connection statistics less
frequently than connections are being made by the script, the
following situation is possible:
Assume the number of connections is limited to 5. We have 6 running
coroutines. So the first coroutine gets an error message, we let
the connection to be closed and let the coroutine die. Logically,
now the second coroutine should be fine, but it is not, because
probably the server has already sent a response before we closed
the first connection, at that moment there were 6 connections, thus
the second coroutine gets error message and then dies. So all 6
connections die, the script has not iterated through all accounts.
Possible solution is to let only one coroutine die, and restart
others with the same credentials. This will slow down the execution,
but will be more accurate.
- I need to come up with an elegant way to support back-compatibility.
Comparison:
- Ncrack does not find the valid credentials as well. Even though it
tries to reduce the number of connections towards 5, it always stick
to 6 and prematurely closes a lot of probes.
> Ncrack done: 1 service scanned in 12.02 seconds.
> Probes sent: 398 | timed-out: 0 | prematurely-closed: 331
- THC-Hydra stubbornly holds the number of 12 threads and spits
error messages. No positive results as well.
Goals:
o: Develop the ideas described above.
o: Start thinking about ssh-brute.
I would highly appreciate any comments and suggestions.
Best regards,
Sergey.
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Sergey. [Status report 03/17] Sergey Khegay (May 16)