[prev in list] [next in list] [prev in thread] [next in thread]
List: nessus-plugins-writers
Subject: Re: [Plugins-writers] mssql_blank_password.nasl and
From: Dennis Jackson <Dennis.Jackson () ndirect ! co ! uk>
Date: 2004-02-26 21:46:34
Message-ID: v03110702bc641842cc01 () [192 ! 168 ! 1 ! 33]
[Download RAW message or body]
At 1:37 +0000 26/2/2004, H D Moore wrote:
> I consider these two separate vulnerabilities. The reason is that blank
> passwords are normally the result of a default configuration or insecure
> application install (many apps bundle a wide-open MSDE service), where a
> common or weak account password is a admin/developer training issue.
I would have thought the vulnerability is the same - an
easily guessable password.
However, the reason for the vulnerability may be the
result of different actions.
Although the name of the script is mssql_brute_force.nasl
it only check 11 different combinations of username and
password. It isn't really a brute force attempt at guessing
the password.
> Maybe move the login routines into a mssql_funcs.inc and have each plugin
> include it? Combining them into one plugin would work, provided the
> report differentiates between blank and weak passwords.
mssql_brute_force.nasl already reports the username and
password. The only addition would be an explanation that
a blank password is likely to be the result of a default
install.
> On Wednesday 25 February 2004 18:14, Dennis Jackson wrote:
> > Should the two scripts mssql_blank_password.nasl and
> > mssql_brute_force.nasl be merged into one?
> >
> > The first script simply tests for the combination of
> > username "sa" password "". While the second scripts tests
> > for eleven different combinations of username and
> > password. It would be trivial to add "sa" / "" into the
> > list in mssql_brute_force.nasl
> >
> > As a further change, some of the description in
> > mssql_blank_password.nasl should be added into the report
> > produced by mssql_brute_force.nasl
> >
> >
> > Dennis.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic