Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Valid usernames but no password with Creds library

From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 7 Jul 2011 17:54:35 +0200
Currently, the brute library just stores discovered passwords into the credential database.
Unless a script author explicitly tells the library to iterate over discovered usernames or specifies a file with them 
using the userdb script argument it won't.
The brute library supports custom iterators, so adding one that would iterate over discovered accounts should work.

I usually like to run these kind of exercises in two steps:
1. enumerate users
2. use the users from step 1 together with an assignment specific dictionary against the service

This gives me (at least a sense) of more control over what's happening.
That said, I'm probably not the best person to suggest how the approach for this would be.
If someone has an idea and want's to dive into the brute and cred library to implement it, feel free.
I'll try to assist in any way I can.

//Patrik


On Jul 7, 2011, at 5:08 PM, Toni Ruottu wrote:


If we know the user names, would it not make sense for brute scripts
to try passwords for those user names rather than generic user names?
Does that currently happen? How should that work?

On Thu, Jul 7, 2011 at 1:47 PM, Patrik Karlsson <patrik () cqure net> wrote:


On Jul 7, 2011, at 9:05 AM, Paulino Calderon wrote:


Hi Patrik,
   I'm updating scripts to use your credentials library and I'm wondering what are your thoughts about adding valid 
usernames even when we don't have a password. Right now, there is not a way to differentiate when a password is 
blank and when we don't have one since both show the string "<empty>". How do you guys think we should address 
this? Or do you think we shouldn't add credentials to the table if we don't have both a username and password?

Ps. I'm ccing this to nmap-dev for future reference.

Cheers.

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon




Hi Paulino,

I'm guessing that these valid usernames come from some of the enumeration scripts?
I see the credential library (database) as two things:
1. storage for discovered credentials, that can be used for consistent output in script results (eg. "Account 
locked" etc.)
2. storage for discovered credentials, that can be queried from other scripts to get known, valid credentials

For case 1, I guess it could make sense to output even discovered user names, in this case we need to find a way to 
distinguish them from discovered credentials
For me personally, I would probably want them in a separate "section" and not mixed together with discovered 
credentials.

For case 2, I wouldn't wan't them mixed with the discovered or parameter supplied credentials.
Here, I think it would probably make sense assigning them their own State, maybe KNOWN_USER/VALID_USER or whatever.
In this case, they can be queried by using the state mask in getCredentials if someone wishes to do that.

I'm guessing a valid use case for 2 could be:
sip-enum-users -> store discovered users to creds library (eg. add("1000",nil, creds.State.KNOWN_USER) )
sip-brute -> gets discovered users (eg. getCredentials(creds.State.KNOWN_USER + creds.State.VALID) )

Does that make sense?

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: