Status Report #10 of 15

[ithilgore <ithilgore.ryu.l () gmail com>]

Accomplishments:

* Finished the SMB module.
I achieved an incredible rate of ~5000 passwords/sec against a Windows XP
SP 3 box and successfully cracked my test account in almost 3 seconds
trying the whole default.pwd list for one username!
The module will be extended in the near future to support more
authentication mechanisms (now default is NTLMv1) and NetBIOS but we
decided with Fyodor that right now there are higher priorities that need to
be addressed.

* Found a large source of usernames to be potentially included in the new
username list that is being compiled. We are talking about 4 million here.

* Started doing research on the new RDP module. Right now, as far as I
know, the only (public) tool close to a real RDP bruteforcer is a patch by
jmk of foofus for the rdesktop application
(http://www.foofus.net/~jmk/rdesktop.html) which was based on patches made
by Nmap contributor/developer Patrik Karlsson
(http://www.cqure.net/wp/rdesktop-patches/). There is also a closed source
Windows-only rdp-only program called tsgrinder.
Microsoft has already opened the specifications of the Remote Desktop
Protocol and extensive documentation can be found in their MSDN library
(http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspx).
Although RDP is a fairly complex protocol, the rdesktop source code has
proven really valuable in dissecting it.


Priorities:

* Start compiling username list.
* Continue research on RDP and start coding the module.


Cheers,
ithilgore



-- 
http://sock-raw.org
http://twitter.com/ithilgore
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/