Nmap Development mailing list archives
Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 13 Nov 2011 11:00:29 +0100
On Fri, Nov 11, 2011 at 11:13 PM, Vlatko Kosturjak <kost () linux hr> wrote:
On 11/11/2011 07:27 PM, Patrik Karlsson wrote:Hi Kost, The attached patch contains some cleanup of the nexpose-brute script. Before I commit it though I wanted to get some opinions from the list in regards to account lockout. In general I haven't bothered too much with account lockout before, but Nexpose locks accounts after 4 incorrect attempts per default. In the community edition I have been testing it against, I can't get back in without restarting the as the only account I have gets locked. So, my question is, do we need to address this in some way, limiting the amount of tries to 3 per account and allowing the user to force more attempts through a script argument?Yes, NeXpose is the only one which have account lockout in place. How it is done for other protocols now? Kost
Hi Kost, It's not handled for any other protocols making use of the brute library as far as I know as the library did not support it until now (r27081). They way you could handle it in the past was by just supplying less passwords than the lockout limit in the dictionary. However, I've added a brute option called max_guesses that can be set either by the script or through the brute.guesses argument. When this option is set it will keep track of the amount of guesses performed against an account and stop when it reaches the limit. In the nexpose-brute script I'm setting it to 3 attempts and suggest we commit it that way? The brute library will return an additional line with information in the result to indicate that the guesses were "capped" like this: PORT STATE SERVICE REASON 3780/tcp open unknown syn-ack | nexpose-brute: | Accounts | No valid accounts found | Statistics | Performed 12 guesses in 1 seconds, average tps: 12 | Information |_ Guesses restricted to 3 tries per account to avoid lockout Final times for host: srtt: 1151 rttvar: 3273 to: 100000 I'm attaching the latest version of the script, let me know what you think. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77
Attachment:
nexpose-brute.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 09)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 09)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 10)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 10)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 10)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 10)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 11)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 11)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 13)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 17)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 10)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Patrik Karlsson (Nov 09)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Vlatko Kosturjak (Nov 11)
- Re: [NSE] password guessers for vulnerability scanners and exploitation frameworks Henri Doreau (Nov 14)