|
Nmap Development
mailing list archives
Re: nmap_lua attack scripting beta release
From: kx <kxmail () gmail com>
Date: Mon, 3 Jul 2006 22:40:10 -0400
Windows compatability issues noted below:
First off, most of this compiles on Windows just fine. In fact, I can
generate liblua.lib with only these four warnings:
loadlib.c(105) : warning C4133: 'function' : incompatible types - from
'char [261]' to 'LPWCH'
loadlib.c(120) : warning C4133: 'function' : incompatible types - from
'char [128]' to 'LPWSTR'
loadlib.c(132) : warning C4133: 'function' : incompatible types - from
'const char *' to 'LPCWSTR
lua.obj : warning LNK4006: _main already defined in luac.obj; second
definition ignored
liblua/liblua.a(loslib.o): In function `os_tmpname':
loslib.c:(.text+0x35): warning: the use of `tmpnam' is dangerous,
better use `mkstemp'
From the notes in liblua/luaconf.h, maybe we should define
LUA_USE_MKSTEMP and see if we run into problems with systems that
don't support it. Does anyone know if mkstemp is portable enough for
us? Does Windows offer it?
I believe _mktemp_s is available in the CRT:
http://msdn2.microsoft.com/en-us/library/t8ex5e91.aspx
Speaking of compilation, have you tried compiling it on Windows yet?
So here is where the issues come in:
nmap_lua.h includes:
dirent.h
fnmatch.h
which have no native Windows support.
For dirent.h, there area few Windows ports I believe. Or you could look at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnucmg/html/UCMGch09.asp
for how Microsoft recommends using native calls like FindFirstFile(),
FindNextFile(), FindClose(), GetCurrentDirectory(), _getcwd()
For fnmatch.h, maybe you could implement it a different way with some
other portable comparison operator?
Also, for the system type includes like:
netdb.h, sys/socket.h, netinet/in.h, arpa/inet.h
You might want to remove those and include nmap.h instead. Fyodor is
much better on the compatibility structure of nmap, so he can tell you
the correct way to do it.
I haven't dug into this any further than that, but I am excited to get
it working on Windows.
HTH,
kx
After compilation, I gave it a try:
./nmap -sC scanme.nmap.org
[...]
PORT STATE SERVICE SCRIPT SCAN
[...]
22/tcp open ssh
| stealth sshd version: SSH-2.0-OpenSSH_4.3
80/tcp open http
| Site title: Authentication required!
In this case, the results could fit on the table line itself, but we
probably don't need to worry about optimizing for that case. The two
advantages I see for using separate lines are that it allows you to
show results from multiple scripts more easily, and helps avoid
running off the edge of the screen (and line wrapping).
But in this case, you don't get the line-wrapping-reduction advantage
because you start the new line in the same late column. I would
suggest removing the "SCRIPT SCAN" column from the table and simply
indenting the script results by a few spaces. For example:
PORT STATE SERVICE
22/tcp open ssh
| Stealth sshd version: SSH-2.0-OpenSSH_4.3
80/tcp open http
| Site title: Authentication required!
The whitespace problem becomes more acute when I next added version detection to the mix:
./nmap -sVC scanme.nmap.org
[...]
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| stealth sshd version: SSH-2.0-OpenSSH_4.3
80/tcp open http Apache httpd 2.2.2 ((Fedora))
| Site doesn't have a title.
Note that when I add version detection, the system for some reason
fails to get the site title. This happens every time I try it from
that machine (I am running it from the same machine which hosts
scanme.nmap.org). If I run it against scanme from a machine across
the Internet, it seems to work even with -sVC. If you can't reproduce the
problem, let me know and I can send you some sort of trace (whatever
would be useful).
When I run the command "nmap -sVC -v scanme.nmap.org", Nmap reports
the status of the connect scan, service scan, and rpcgrind scan, but
says not a word about script scan. Similarly, it doesn't seem to have
runtime interaction status support (
http://www.insecure.org/nmap/man/man-runtime-interaction.html ).
Would you add these so we have a better idea what is going on under
the covers? Even '-d' doesn't give me anything extra.
We don't want to go overboard in scrolling the screen with output.
But -v should at least tell us when the scripting engine starts it
scanning and finishes (with some useful stats in the finishing line,
perhaps). -d should give more information, and at higher o.debugging
levels you can give more and more.
For more usage information refer to nmap-4.20ALPHA3-LUA/README_LUA
There does not seem to be any such file in
nmap-4.20ALPHA3-LUA.tar.bz2. Would you send it to the list?
Some demo scripts are provided in nmap-4.20ALPHA3-LUA/nmap_scripts
Looks good. I like the way that showHTMLTitle.lua uses version
detection results (if available) to find web servers to run against. I
tried running a web server on an unusual port, but service detection
found that it was http and showHTMLTitle.lua properly detected this
and found the title. Meanwhile, it didn't waste time running against
non-http services like ssh.
From our AIM discussion, it sounds like you haven't tested UDP or SSL
much/any yet. But I agree that is a good direction to take. UDP is
particularly important.
Keep up the good work. And I hope other people will start reviewing
your releases as well. That will help us develop what the broad
userbase wants, rather than just what you and I think is cool :).
Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
 By Date 
By Thread
Current thread:
|
Intro
