Re: Password profiling in NSE

[Daniel Miller <bonsaiviking () gmail com>]

George,

If we introduce an additional option for mangling, I believe there
> will be more users running nmap with both options (passprofile and
> mangling) compared to only passprofile. It probably worth its time
> too, as it highly increases the chances of a successful attack.


> Having said that, maybe an option that turns off mangling makes more
> sense. However, I understand your concern that NSE should lean towards
> speed and I'm fine having mangling as optional feature.

I imagine many will use it, too, but they should be kept separate because
some users may wish to use mangling with a custom wordlist (i.e. not with
password profiling), or with some combination of both (mangling done over
profiled candidates and wordlist words alike).


> Will it make things easier if I submit a PR via Github that addresses
> (1) and (2)?

Yes, that would be good. Varunram has already attempted this in #643, which
I have not reviewed because of some unrelated commits, but since this is
your code it would probably be best if you did the pull request yourself.
As I said, I would prefer to see separate pulls for profiling and for
mangling, and I think the profiling is the more exciting feature, but I'll
review anything you put up.

Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/