Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: NSE issue with shortport
From: "Eddie Bell" <ejlbell () gmail com>
Date: Wed, 14 Nov 2007 19:46:14 +0000

Looks like portnumber() doesn't have support for that form of construct

   if (port.protocol == proto and port.state == state)

Which will never be true as port.state is a string and state is a
table. I've attached a patch, could you try it out?

- eddie

On 13/11/2007, Thomas Buchanan <TBuchanan () thecompassgrp net> wrote:
I was doing some testing with 4.23RC1 today, and I noticed an issue with
NSE matching rules for a couple of scripts that use the
shortport.portnumber library routine for portrule.  The rule doesn't
seem to match, even if the port is correctly detected as open.

For example:  I'm scanning a system with SNMP enabled, so I used the
SNMPsysdesr.nse script to see what information I could get out of it.

# nmap -sU --script=SNMPsysdesr.nse --script-trace -d -p 161
192.168.xxx.yyy
Starting Nmap 4.23RC1 ( http://insecure.org ) at 2007-11-13 16:21 CST
<snip output>
SCRIPT ENGINE: Initiating script scanning.
SCRIPT ENGINE: Script scanning .
SCRIPT ENGINE: Using
/home/tbuchanan/apps/libexec/nmap/nse/?.so;./?.so;/usr/local/lib/lua/5.1
/?.so;/usr/local/lib/lua/5.1/loadall.so to search for C-modules and
/home/tbuchanan/apps/share/nmap/nselib/?.lua;./?.lua;/usr/local/share/lu
a/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/lib/lua/5.1/?
.lua;/usr/local/lib/lua/5.1/?/init.lua for Lua-modules
SCRIPT ENGINE: Initialized 1 rules
SCRIPT ENGINE: Matching rules.
SCRIPT ENGINE: Running scripts.
SCRIPT ENGINE: Script scanning completed.
Host 192.168.xxx.yyy appears to be up ... good.
Interesting ports on 192.168.xxx.yyy:
PORT    STATE         SERVICE REASON
161/udp open|filtered snmp    no-response
Final times for host: srtt: 1739 rttvar: 5000  to: 100000
...

The relevant portrule section from SNMPsysdesr.nse:

require "shortport"

portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"})


I'm not exactly sure how this shortport rule works, but it looks to me
like this should trigger a match on the system I scanned.  I looked at
the definition of the portnumber function in the shortport.lua file, but
nothing obvious jumped out at me.

If I go back to a older copy of the script, with the long, explicit
definition of the portrule, it works fine:

#  nmap -sU --script=SNMPv1.nse --script-trace -d -p 161 192.168.xxx.yyy
Starting Nmap 4.23RC1 ( http://insecure.org ) at 2007-11-13 16:22 CST
<snip>
SCRIPT ENGINE: Initiating script scanning.
SCRIPT ENGINE: Script scanning .
SCRIPT ENGINE: Using
/home/tbuchanan/apps/libexec/nmap/nse/?.so;./?.so;/usr/local/lib/lua/5.1
/?.so;/usr/local/lib/lua/5.1/loadall.so to search for C-modules and
/home/tbuchanan/apps/share/nmap/nselib/?.lua;./?.lua;/usr/local/share/lu
a/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/lib/lua/5.1/?
.lua;/usr/local/lib/lua/5.1/?/init.lua for Lua-modules
SCRIPT ENGINE: Initialized 1 rules
SCRIPT ENGINE: Matching rules.
SCRIPT ENGINE: Will run
/home/tbuchanan/apps/share/nmap/scripts/SNMPv1.nse against
192.168.xxx.yyy:161
SCRIPT ENGINE: Running scripts.
SCRIPT ENGINE: Runlevel: 1.000000
Initiating SCRIPT ENGINE at 16:22
<snip debug output>
SCRIPT ENGINE: Script scanning completed.
Host 192.168.xxx.yyy appears to be up ... good.
Interesting ports on 192.168.xxx.yyy:
PORT    STATE SERVICE REASON
161/udp open  snmp    no-response
|  SNMPv1: .Hardware: x86 Family 15 Model 2 Stepping 8 AT/AT COMPATIBLE
- Software: Windows NT Version 4.0  (Build Number: 1381 Uniprocessor
Free )
|    System uptime: 5 days, 20:5:21.24 (50432124 timeticks)
|    System name: NT4SERVER-SP2
|    System location: Test lab
|_   System contact: <snip>


This same issue also shows up in MSSQLm.nse.  Any ideas?  I have the
full output of the scans if any more information is required.

Thanks,

Thomas

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Attachment: short.patch.gz
Description:


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]