Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [nmap-svn] r21714 - nmap/todo
From: Fyodor <fyodor () insecure org>
Date: Thu, 13 Jan 2011 01:10:22 -0800

On Wed, Jan 12, 2011 at 06:53:27PM +0100, Luis MartinGarcia. wrote:

why don't we make it optional and allow users to simply pass
"--echo-client"?  Well, the reason why I chose to make it mandatory is
because otherwise, the target host would have to be supplied before the
"--echo-client" flag, which seems a bit counter-intuitive to me.

I agree, that would be a terrible UI.

So the thing is that if Nping is compiled without OpenSSL 

Remember that this is a rare situation, so we don't need to
over-optimise for it.  The Nmap Windows, Mac, and Linux binaries we
distribute all include SSL, and I imagine that most Linux
distributions include SSL support in their Nmap package as well.  And
users who compile from source will get SSL as long as they have SSL
development libraries installed, unless they specifically request to
omit it.

and we make
users pass "--no-crypto", they still need to supply a passphrase, which
is also a bit counter-intuitive.

nping --echo-client "unused_passphrase" echo.nmap.org --no-crypto

Well, they'd probably just run: nping --echo-client "" --no-crypto echo.nmap.org

Yes, the "" argument is a little annoying, but OK if we document it.

 1. Make the passphrase an optional parameter and make users supply the
hostname before "--echo-client" or "--echo-server".

I agree with you that this is unacceptable.

 2. Leave it as a mandatory parameter and just warn the user if
"--no-crypto" was not supplied and there is no OpenSSL.

Maybe we should give an error and quit rather than just warn.  Users
might not notice the warning (especially if they run the server and/or
client with a script) and could end up way more exposed than they
expect.  If both the client and server have no SSL, the program could
continue working but without the security they expected when they gave
a passphrase.

Also, right now the Nping man page suggests using --no-crypto for
public echo servers.  We might suggest using the empty passphrase ("")
for this instead.  That way the client users don't have to always
remember to pass --no-crypto.  We don't really want to get them in
that habit anyway.

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]