Request for telnetd heuristics and peculiar services

[ithilgore <ithilgore.ryu.l () gmail com>]

Hello nmap-dev,

I began thinking that the best way to test some aspects of the
dynamic timing engine of Ncrack, is to use it against many different
kinds of services.

There are 2 different things I am planning for the moment:

1) Begin writing the telnetd module. As you probably know, telnet
doesn't have a standard way of letting you know if your
authentication succeeded (if there was a need for one) like ftp does
with the special number codes. Since, Ncrack will need to be able to
understand any exotic routers/switches/printers/devices that have
telnetd enabled, it will probably have to know what kind of
different replies to expect for each authentication phase. A typical
telnetd session goes like this:


Trying XXX.XXX.XXX.XXX...
Connected to XXX.XXX.XXX.XXX.
Escape character is '^]'.
 "Banner goes here"

User Access Verification

Username: test
Password:

% Authentication failed


User Access Verification

Username:

... etc


The main problem is to be able to discern when we succeed and when
we failed. Afaik most devices just show up a prompt when you login
and that is usually just the symbol '>', although this can possibly
change to '#' or something different than that.

Based on your experience with the telnetd services, what do you
think are the most common prompts and the most common 'failed
authentication' messages? We will need to gather all of them
eventually so if you have in mind any exotic device that uses
something more peculiar, feel free to inform me.


2) I want to test Ncrack against 'strange' service configurations.
One such example is a service that gives you the results with an
exponential delay after each authentication attempt. So for the
first attempt of a connection the results (whether we succeeded or
not) are given e.g after 1 second, for the second attempt after 5
seconds and for the 3rd attempt after 15 seconds or something
similar. Ncrack's timing engine will have to spot this behaviour and
change the number of probes it needs to send in parallel to maximize
its performance. In the above case, it would probably open more
connections and stop at the first authentication attempt for each
connection.

So, do you know any such services that have this or similar kind of
behaviour by default? Also, I would like to know about services that
support the manual configuration of this behaviour through their
config files.


Regards,
ithilgore





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org