Nmap Development mailing list archives
Re: nmap http auth update
From: Vishal Nandwani <vlnandwa () ncsu edu>
Date: Wed, 21 Jan 2009 20:28:39 -0500
David, Thank you for your suggestions to improve the script before it gets included. I apologize for such a late reply, but we are just a group of students who stay busy on a constant basis. We just returned to class from winter break and would like to get things rolling again. In your last reply, you informed me on r10954 from 2008-11-07 as the latest build for nmap. At this point in time, is there anything later we should modify the script or should this be the build we work with? On behalf of my group members, thank you for taking the time to work with us and your guidance in this project. All the best, Vishal On Mon, Dec 8, 2008 at 11:54 AM, David Fifield <david () bamsoftware com>wrote:
On Tue, Dec 02, 2008 at 11:53:53AM -0500, Vishal Nandwani wrote:Attached in this e-mail is an NSE script titled http-dict.nse. Itupdatesthe http auth script to include md5 as well as a larger dictionary. Wehopethe community finds this useful and that the script is considered forcodeintegration into the next version of nmap.Thank you for your contribution. It is most welcome. I tried out your modified script and it worked for me. I'd like to see it included with Nmap. There are a few changes I'd like you to make before it is included. Your updated script is based on a slightly old version of http-auth.nse and it doesn't have some recent improvements from Vlatko Kosturjak. Can you make your changes again based on r10954 from 2008-11-07? Before adding any new user names and passwords to the script, I want to see measurements showing that they occur frequently, or at least documentation as to what devices use each authentication pair. It's easy to add new user names and passwords, but each one incurs a cost in run time and network traffic. Please leave the expanded dictionaries out of your updated submission. Where did the value for cnonce ("f5d6811482d3ab57d18f06dfe240f390") come from? If it's meant to be random then you could use openssl.rand_bytes or openssl.rand_pseudo_bytes. Don't be discouraged. We often ask for changes to patches before they are accepted. Thanks again for your improvements. I look forward to merging the next version of your script. David Fifield
-- Vishal L Nandwani vlnandwa () ncsu edu Senior, NC State University Computer Science _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: nmap http auth update Vishal Nandwani (Jan 21)
- Re: nmap http auth update David Fifield (Jan 21)