Nmap Development mailing list archives
Re: Authentication in SMB/MSRPC
From: Ron <ron () skullsecurity net>
Date: Tue, 07 Oct 2008 05:36:25 -0500
David Fifield wrote:
Well, my thought was if you're running it across a significantly sized network with a list of common accounts/passwords, you might want it to use the passwords it finds, especially if the auditor knows that lockouts are disabled. Additionally, the 'administrator' account can rarely be locked out and the 'guest' account rarely has a password set if it's enabled, so they might want to bruteforce just those two.On Mon, Oct 06, 2008 at 05:54:35PM -0500, Ron wrote: Best to play it safe. My impression is that scripts using authentication information should only use information supplied by the user. I think the lockout issue is very important. If we only do what the user has explicitly asked for, there's less chance they will become furious at Nmap when an account gets locked out. If a bruteforce script finds credentials, it shouldn't try to use them, just display them. You can run the script with the new credentials to get more information from the other scripts.
If the scripts are expanded to the point where they can do deeper vulnerability assessments, being able to use passwords found could be very valuable, especially if you're scanning a couple thousand hosts.
Obviously, it shouldn't be a default thing, but I can see it being handy.
Well, with SMB the parallelism is shot anyways, because you can't make more than one SMB connection to a server simultaneously (a fault of the protocol).Also, if you try to have one script get authentication details from another, it gets more complicated because one has to run before the other and you reduce the possible parallelism. Plus there's the "which credentials to use?" problem you mentioned in (b).
But isn't there some mechanism for doing that in Nmap scripts already? Runlevel, I think? Or was that a theoretical thing?
David Fifield
Ron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Authentication in SMB/MSRPC Ron (Oct 06)
- Re: Authentication in SMB/MSRPC David Fifield (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC Fyodor (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC Fyodor (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC Ron (Oct 07)
- Re: Authentication in SMB/MSRPC David Fifield (Oct 07)