Nmap Development mailing list archives
Request for telnetd heuristics and peculiar services
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Sun, 14 Jun 2009 03:17:03 +0300
Hello nmap-dev, I began thinking that the best way to test some aspects of the dynamic timing engine of Ncrack, is to use it against many different kinds of services. There are 2 different things I am planning for the moment: 1) Begin writing the telnetd module. As you probably know, telnet doesn't have a standard way of letting you know if your authentication succeeded (if there was a need for one) like ftp does with the special number codes. Since, Ncrack will need to be able to understand any exotic routers/switches/printers/devices that have telnetd enabled, it will probably have to know what kind of different replies to expect for each authentication phase. A typical telnetd session goes like this: Trying XXX.XXX.XXX.XXX... Connected to XXX.XXX.XXX.XXX. Escape character is '^]'. "Banner goes here" User Access Verification Username: test Password: % Authentication failed User Access Verification Username: ... etc The main problem is to be able to discern when we succeed and when we failed. Afaik most devices just show up a prompt when you login and that is usually just the symbol '>', although this can possibly change to '#' or something different than that. Based on your experience with the telnetd services, what do you think are the most common prompts and the most common 'failed authentication' messages? We will need to gather all of them eventually so if you have in mind any exotic device that uses something more peculiar, feel free to inform me. 2) I want to test Ncrack against 'strange' service configurations. One such example is a service that gives you the results with an exponential delay after each authentication attempt. So for the first attempt of a connection the results (whether we succeeded or not) are given e.g after 1 second, for the second attempt after 5 seconds and for the 3rd attempt after 15 seconds or something similar. Ncrack's timing engine will have to spot this behaviour and change the number of probes it needs to send in parallel to maximize its performance. In the above case, it would probably open more connections and stop at the first authentication attempt for each connection. So, do you know any such services that have this or similar kind of behaviour by default? Also, I would like to know about services that support the manual configuration of this behaviour through their config files. Regards, ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Request for telnetd heuristics and peculiar services ithilgore (Jun 13)