Nmap Development mailing list archives

Re: Password Profiling and Password Mangling Libraries

From: George Chatzisofroniou <sophron () latthi com>
Date: Wed, 5 Jul 2017 11:30:54 +0300

On Mon, Jul 3, 2017 at 10:22 PM, Wong Wai Tuck <wongwaituck () gmail com> wrote:

I wanted to separate the libraries to separate the responsibilities of the
libraries - one took care of loading username/password from files (and
keeping them as two separate tables) and provides the interface for
iterating through them, and the other one (pwdprofile) just solely looks at
storing interesting candidates (regardless of whether they are usernames or
passwords) and keeps its own list. However, I am fine with integrating it
into unpwdb, since unpwdb isn't really that big!


Yes, unpwdb acts a generic username/password database library and
methods that include retrieving or inserting credentials (including
the profiling feature) belong there. There is no reason to separate it
to a different library as long as there is only one module taking
advantage of this functionality (unpwdb itself).

I was thinking from the perspective of httpspider, and how it might be
similar to CeWL. Many scripts use httpspider and I felt it didn't make sense
to implement it in httpspider.lua (since logic of password profiling would
then be in httpspider), and rather it would be best implemented in
pwdprofile (and we additionally provide a flag to activate it), and letting
httpspider simply pass the response to pwdprofile for processing.


Profiling is not only about HTTP. The password profiling feature can
work in many different application-layer protocols and it doesn't make
sense to re-write parsers for all these.

It should probably be a separate script's responsibility to collect
special words in HTTP responses and print them back to the user. That
would be useful by itself if a user wants to quickly retrieve unique
words from a website (e.g. the company name). If the user also enables
the password profiling features, these words will be added as username
or password candidates.

George
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Password Profiling and Password Mangling Libraries Wong Wai Tuck (Jul 01)
- Re: Password Profiling and Password Mangling Libraries George Chatzisofroniou (Jul 03)
  - Re: Password Profiling and Password Mangling Libraries Wong Wai Tuck (Jul 03)
    - Re: Password Profiling and Password Mangling Libraries George Chatzisofroniou (Jul 05)