|
Nmap Development
mailing list archives
Re: adding this option?
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 15 Jan 2008 20:42:32 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 15 Jan 2008 20:03:51 +0000
"Eddie Bell" <ejlbell () gmail com> wrote:
Hey guys, would something like this be useful?
bash> cat commands
SSH-1.0-test_2.0
bash> ./nmap -sT -p22 localhost --script=./scripts/payloadInject.nse
--script-args port=22,file=./commands
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
| payload-inject:
| 53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f
SSH-2.0-OpenSSH_ | 34 2e 36 70 31 20 44 65 62 69 61 6e 2d 35 75
62 4.6p1 Debian-5ub | 75 6e 74 75 30 2e 31 0a 50 72 6f 74 6f 63
6f 6c untu0.1.Protocol | 20 6d 61 6a 6f 72 20 76 65 72 73 69
6f 6e 73 20 major versions |_64 69 66 66 65 72 2e
0a differ..
It reads a file, sends the content to a remote service (user defined
through --script-args) and displays the results in hex and ascii. It's
not ready for production yet but I hope you get the general idea. If
it is something people want I'll finish it off.
cheers
- eddie
Hi Eddie. I like how you've implemented this as an NSE script rather
than mucking with other things. The script _is_ useful but provides
about the same thing that can be accomplished with a custom
service probe and --version-trace.
In order to make this script really worth it, I think it would need to
contain multiple commands like so:
# Send everything between the opening { and closing }
payload[0] {
\x01\x02\x03\x04hello
btw, escape closing any closing \} with \\.\x00
}
# If some response is received, send next command
payload[1] {
send more crap\n\r\x00
}
Sending multiple payloads might be too much work for a generic NSE
script for only marginal gain. If that is the case, do we need a single
payload-inject which is only marginal gain over netcat/-sV/custom NSE
script/etc?
One script that would be really neat would be a -sV implementing NSE
script. That is, I could give the script a service probe file and it
would send the probes to the ports and run them through PCRE. I really
hate mucking with nmap-service-probes when I'm testing a one-off
probe/match. Arbitrary limitations could be put on on the custom probe
file like only one probe and match or one probe, many matches, etc.
This too would be a lot of work though for only marginal gain.
Brandon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFHjRq4qaGPzAsl94IRAkGRAJwMxTDub29whEJfUkCyYGkJ1NzxFQCfc0tU
obam/R5V24IRMmevPz7ysIU=
=GXgL
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
 By Date 
By Thread
Current thread:
|
Intro
