http://seclists.org/nmap-dev/2013/q3/346
For any given fingerprint from http-default-accounts-fingerprints
script http-default-accounts currently tests corresponding default
credentials if at least one of the probe URLs succeeded, namely
returned with status other than 404.
Some web servers, such as Linksys devices, respond with HTTP/401 even
for non-existent URLs. This causes the script to assume that these URLs
do exist and to test the credentials, while ideally they should be
tested only on those servers where they make sense.
The purpose of the attached patches is to reduce unnecessary credential
guessing by implementing a new optional fingerprint element, function
target_check(), which takes some already collected target information,
including a probe URL response, and returns true or false, indicating
whether the credential guessing should be attempted or not.
All of the current fingerprints have been retrofitted with simple
target validations as follows:
* If the fingerprint uses native HTTP authentication, validate that the
target's realm matches the server type.
* If the fingerprint uses form-based authentication, validate that the
probe URL returned with HTTP/200 (as opposed to perhaps HTTP/401).
When testing against the above-mentioned Linksys the difference was
notable: 14 login attempts before the patch versus 1 attempt after the
patch.
This functionality provides opportunity for further improvement by
being able to match page content to differentiate between real HTTP/200
and a custom error page. (As of now the script completely skips targets
that return HTTP/200 for non-existent pages.)
http://seclists.org/nmap-dev/2013/q3/249
- Multi-threaded (thanks to nselib/brute.lua)
- Can automatically reduce number of threads if it senses that the
target supports less than what brute.lua wants to use. Without this
feature the script tends to bail out because brute.lua default of 10
threads is too much for a lot of telnet targets. This saves the user
the trouble of finding out how much the target can take before
launching the script.
- Uses connection pooling for sending multiple login attempts across
the same connection. This significantly improves performance.
- Supports password-only logins.
Other changes:
- Fixed support for Windows telnet service.
Added support for Netgear RM356.
- Improved accuracy of target state detection.
Tested on:
- Cisco IOS
- Linux telnetd
- Windows telnet service
- Digital Sprite 2
- Nortel Contivity
- Netgear RM356
- Hummingbird telnetd
Not all SSH key formats use base64 encoding, for example SSH1 keys looks
different. So we can't blindly base64-encode the raw strings that we
receive. Attempt to return keys in the same format as is used by the
known_hosts file.
Marin Maržić noticed that port.service is set even for unmatched
services. We want this script to run especially for ports 80 and 443.
http://seclists.org/nmap-dev/2012/q4/490
Apparently it only worked before when you were running from an Nmap
source directory, where nselib was in the current directory.
Roy Woods reported the problem.
http://seclists.org/nmap-dev/2013/q3/48
If you ran the (fortunately non-default) http-domino-enum-passwords
script with the (fortunately also non-default)
domino-enum-passwords.idpath parameter against a malicious server,
it could cause an arbitrarily named file to to be written to the
client system. Thanks to Trustwave researcher Piotr Duszynski for
discovering and reporting the problem. We've fixed that script, and
also updated several other scripts to use a new
stdnse.filename_escape function for extra safety. This breaks our
record of never having a vulnerability in the 16 years that Nmap has
existed, but that's still a fairly good run. [David, Fyodor]
This case wasn't properly handled. Simply return nil.
It could also return 127.0.0.1 or 127.0.0.0/8 instead
of early exit though I doubt it makes that much sense
for user.
Removed some non-ANSI-C strftime format strings ("%F") and
locale-dependent formats ("%c") from NSE scripts and libraries.
C99-specified %F was noticed by Alex Weber
(http://seclists.org/nmap-dev/2013/q2/300)
