Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password profiling in NSE

From: George Chatzisofroniou <sophron () latthi com>
Date: Fri, 20 Jan 2017 15:42:20 +0200
Hi Dan,

On Thu, Jan 12, 2017 at 5:54 AM, Daniel Miller <bonsaiviking () gmail com> wrote:

1. I think that the default behavior should be to add the words without
mangling, since NSE brute-forcing should lean towards intelligence and speed
as opposed to thoroughness or never-ending streams of candidate passwords.
Mangling can be an additional option


If we introduce an additional option for mangling, I believe there
will be more users running nmap with both options (passprofile and
mangling) compared to only passprofile. It probably worth its time
too, as it highly increases the chances of a successful attack.

Having said that, maybe an option that turns off mangling makes more
sense. However, I understand your concern that NSE should lean towards
speed and I'm fine having mangling as optional feature.


2. Instead of a separate library, the storing and retrieval of these
password candidates should be done by unpwdb, so that even if a script
doesn't use brute.lua, it can still take advantage. This fits more with the
core purpose of unpwdb (wordlists and iterators) vs brute (timing and
reporting of creds). The mangling could be kept in a separate library,
perhaps.


You are right. I thought that unpwd was only being leveraged by
brute.lua but I guess that's not always the case.


3. The use of mangling could explode the size of the dictionary in memory. I
think it would be better to have an iterative mangling process similar to
how John the Ripper does it: first try all words as-is, then proceed through
mangling rules one at a time. This allows more-likely mangles to happen
first and means less memory is used. With this approach, mangling wouldn't
be limited to candidates discovered through profiling, but could be applied
to wordlist candidates as well.


I agree.


I'd be excited just to see the profiling code added in to unpwdb. Mangling
can be done as a separate effort. That way we get something that works
up-front, and users can benefit right away.


Will it make things easier if I submit a PR via Github that addresses
(1) and (2)?

George
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: