Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Gave better use of Credentials.new(...) first argument #159

Closed
G10h4ck opened this Issue Jun 13, 2015 · 3 comments

Comments

Projects
None yet
3 participants
Contributor

G10h4ck commented Jun 13, 2015

In NSE creds library the first argument of Credentials.new(...) is at moment a string used mostly for debugging purpose, and it is called scriptname, this way it is not very useful while with little or no change it could be used as a name for the credential storage, making easier for different scripts sharing the same credentials/protocols to coordinate.
At moment if from a script or a library you need to access credential generated by other scripts like a *-brute script you have to pass creds.ALL_DATA as first argument and iterate over the whole storage, then you have to discern what is the credential you need between all credentials that share host and ports with the one you are interested in, this may result in a complicated problem.

To understand better the situation let's imagine the user run something like
nmap -p 80 --script=joomla-brute --script=wordpress-brute --script=wordpress-escalation --script=joomla-logbang mypoorserver.poo
assiming that joomla-logbang needs credential bruted by joomla-brute and that wordpress-escalation needs credential bruted by wordpress-brute

No problem for *-brute scripts that use SCRIPT_NAME to store the credentials they found but what will happen to both joomla-logbang and wordpress-escalation ?
They will iterate over the the whole storage passing creds.ALL_DATA and they will be not able to discern what is the credentials for wordpress and what is the joomla one.

If instead of SCRIPT_NAME we would use a service oriented defined constant like "http.wordpress" and "http.joomla" or "snmp.communities" as you can see on this branch
https://gitlab.com/g10h4ck/nmap-gsoc2015/commits/hotfix/122-newstyle
Scripts would not suffer and get the credentials they needs in a whim.

Contributor

G10h4ck commented Jul 9, 2015

I have renamed the branch to hotfix/159 so you can find it at
https://gitlab.com/g10h4ck/nmap-gsoc2015/commits/hotfix/159

The direction makes sense to me but in large enterprise environments it is not uncommon to see multiple instances of the same server app running on different ports on the same server. This means that the point Gio is raising still does not completely go away with the proposed change of tagging just by application.

That said, my personal approach to the more offensive NSE scripts (such as brute-forcing credentials) is that I almost exclusively target only one application instance at a time anyway so I do not have much problem with how things work right now.

Contributor

G10h4ck commented Aug 17, 2015

After a discussion with dmiller I have done some experiment to use that argument as a table so a credential can have multiple "tags"

https://gitlab.com/g10h4ck/nmap-gsoc2015/commit/aabde3cfc5a6a532aa59b476b3f4814fac510c5b

It is already functional but not so optimized, to improve performances a bytag index is created but at moment is not really used at credential retrieving

@nmap-bot nmap-bot closed this in 569e954 Aug 20, 2015

qha added a commit to qha/nmap that referenced this issue Dec 16, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment