On Tue, Feb 27, 2007 at 06:15:44AM +0000, Brandon Enright wrote:
> On Mon, 26 Feb 2007 17:34:34 -0500
> Jess <jess_at_thecharbneaus.com> wrote:
>
> > Hello,
> > Reposting this in the nmap-dev list per suggestion from Fyodor.
> >
> > I wrote a perl script several years ago that would catalog all of the
> > open ports on our network (the network I worked on at the time). I was
> > perusing my code recently, and noticed that I had originally built this
> > to run as root. With the newer operating systems, specifically the Linux
> > distro's, most are using sudo. So I was looking through the mailing list
> > archives at insecure.org, and noticed that there is now a NSE.
> >
> > The overall idea of this app is to run daily, and catalog all of the open
> > ports, then run the next day and compare the results. Kind of like a
> > AIDE for the network.
> >
> > So, I guess I have two questions:
> >
> > 1.> Is sudo safe for this? I would like to run my scripts (I am
> > rewriting now) as monitor, but make a call to nmap to get port
> > information for the current host in the scan. Is sudo a good method?
> > Any suggestions around the best way to implement this? It seems I have
> > read articles/man pages saying that sudo is not so good as it "remembers"
> > the credentials for a given user. Thoughts?
> >
> > 2.> NSE. Is this better/worse for scripting of nmap? Pros/Cons?
> >
> > Thanks Everyone!
> >
> > Jess
> >
>
> I'm assuming if you are trying to do this in a script sudo will be
> passwordless. Give "sudo nmap --interactive" and then "!/bin/bash" a try
> and you'll probably decide you don't want to go the sudo way.
>
> One of the more common Unix ways to run a binary securly as root in a
> script or for unprivileged users is to make a small (compiled) program that
> understands a few preset command line options and is SUID'd to root.
>
> Something like this pseudo C here:
>
> /* Run Nmap securely as root */
>
> #include <stdlib.h>
> #include <stdio.h>
>
> int main (...) {
>
> /* whatever needs to be here */
>
> if (arg1 == "quick") {
> system("nmap -T5 -v ... -oA default_file <preset ips>");
> }
> else if (arg1 == "everything") {
> system("nmap -sV -O2 -v -p- -T4 ... -oA default_file <preset ips>");
> }
> else if { /* you get the idea */ }
>
> /* More of whatever needs to be here */
>
> }
>
>
> Then you would compile your program and do a "chmod +s root_nmap". If you
> wanted root_nmap to be able to actually take IPs rather than have preset
> scans you'll need to be EXTRA careful that you don't allow anything other
> than IPs.
>
> I bet more than one person on this list has a nice little nmap root wrapper
> that understand presets or a very limited set of options and would be
> willing to share.
>
> Brandon
>
> --
> Brandon Enright
> Network Security Analyst
> UCSD ACS/Network Operations
> bmenrigh_at_ucsd.edu
>
Hi Brandon,
Thanks for the reply! This sounds like exactly what I had in mind. I am not
an especially strong C programmer, but will whip something up over the next few
days. Should I repost here for some critique or should I shoot it over to one
of the comp.c programming newsgroups?
Thanks again for your suggestions!
Jess
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Mar 01 2007
Intro
