Nmap Development mailing list archives
Re: Replacing usernames.lst?
From: Ron <ron () skullsecurity net>
Date: Sat, 6 Mar 2010 13:57:02 -0600
On Sat, 6 Mar 2010 20:44:21 +0100 Patrik Karlsson <patrik () cqure net> wrote:
There are also protocols and implementations that won't allow you to list all accounts at once but do allow you to determine if an account is valid or not. Some cases even allow you to do this without the "cost" of an invalid login attempt eg. Kerberos [1]. Maybe some sort of collector script with a larger usernames.lst could be run against such services?
Hmm, that's a great idea! Right now, I implement that type of thing in smb-brute, since SMB will, in some cases, tell you that you have a bad username. I could see that being an extra step: 1. Discover open ports 2. Probe open ports to get potential usernames, combine it with the default list 3. Pare down the list using services that allow verification <-- New! 4. Bruteforce to get passwords 5. Use those passwords to get deeper information about the system My smb-* scripts already do a lot of that -- in fact, points 2, 3, and 4 are all done in smb-brute.nse right now. It'd be great to standardize the process and break smb-brute.nse into its pieces, then we can leverage other services to do the same, as you suggested.
Once we do, we should look at standardizing where in the registry we store usernames, and ensure that unpwdb uses that location, if it's populated, instead of (or in addition to) the real list. This is one place where Nmap can seriously excel compared to other brute-forcing tools -- not many tools understand protocols enough to go through the whole sequence: 1. Discover open ports 2. Probe open ports to get potential usernames 3. Bruteforce to get passwords 4. Use those passwords to get deeper information about the system But NSE can! -- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/[1] http://www.cqure.net/wp/krbguess/ //Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Replacing usernames.lst? Ron (Mar 06)
- Re: Replacing usernames.lst? Patrik Karlsson (Mar 06)
- Re: Replacing usernames.lst? Ron (Mar 06)
- Re: Replacing usernames.lst? Ron (Mar 22)
- Re: Replacing usernames.lst? David Fifield (Mar 22)
- Re: Replacing usernames.lst? Ron (Mar 22)
- Re: Replacing usernames.lst? David Fifield (Mar 22)
- Re: Replacing usernames.lst? Patrik Karlsson (Mar 06)