Re: RFC on Ncrack, A new network authentication cracker

["DePriest, Jason R." <jrdepriest () gmail com>]

Is the plan to include only online brute forcing or to also allow
offline banging against hashes?

The value of a brute force tool that you may only point at a live
service and hammer away with is dubious.  Services being penetrated
may be configured to properly limit the number of attempts coming from
a specific client.

This would be especially troublesome for trying to audit a live
Windows Active Directory.  That's something that would be a common
target, but would almost definitely lock you out pretty quickly.

If the offline cracking will be a feature, don't forget Rainbow
Tables!  Cain and Abel recently added the ability to use them and it
speeds things up considerably.

I think Ncrack is a wonderful idea.  Nmap is mature and actively
developed and has an awesome scripting engine.  I can't imagine what
it will be used for next.

-Jason

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org