Nmap Development mailing list archives
Re: Password Profiling and Password Mangling Libraries
From: George Chatzisofroniou <sophron () latthi com>
Date: Wed, 5 Jul 2017 11:30:54 +0300
On Mon, Jul 3, 2017 at 10:22 PM, Wong Wai Tuck <wongwaituck () gmail com> wrote:
I wanted to separate the libraries to separate the responsibilities of the libraries - one took care of loading username/password from files (and keeping them as two separate tables) and provides the interface for iterating through them, and the other one (pwdprofile) just solely looks at storing interesting candidates (regardless of whether they are usernames or passwords) and keeps its own list. However, I am fine with integrating it into unpwdb, since unpwdb isn't really that big!
Yes, unpwdb acts a generic username/password database library and methods that include retrieving or inserting credentials (including the profiling feature) belong there. There is no reason to separate it to a different library as long as there is only one module taking advantage of this functionality (unpwdb itself).
I was thinking from the perspective of httpspider, and how it might be similar to CeWL. Many scripts use httpspider and I felt it didn't make sense to implement it in httpspider.lua (since logic of password profiling would then be in httpspider), and rather it would be best implemented in pwdprofile (and we additionally provide a flag to activate it), and letting httpspider simply pass the response to pwdprofile for processing.
Profiling is not only about HTTP. The password profiling feature can work in many different application-layer protocols and it doesn't make sense to re-write parsers for all these. It should probably be a separate script's responsibility to collect special words in HTTP responses and print them back to the user. That would be useful by itself if a user wants to quickly retrieve unique words from a website (e.g. the company name). If the user also enables the password profiling features, these words will be added as username or password candidates. George _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Password Profiling and Password Mangling Libraries Wong Wai Tuck (Jul 01)
- Re: Password Profiling and Password Mangling Libraries George Chatzisofroniou (Jul 03)
- Re: Password Profiling and Password Mangling Libraries Wong Wai Tuck (Jul 03)
- Re: Password Profiling and Password Mangling Libraries George Chatzisofroniou (Jul 05)
- Re: Password Profiling and Password Mangling Libraries Wong Wai Tuck (Jul 03)
- Re: Password Profiling and Password Mangling Libraries George Chatzisofroniou (Jul 03)