Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Some scripts for analyzing NetBus
From: David Fifield <david () bamsoftware com>
Date: Tue, 18 Jan 2011 11:01:40 -0800

On Sun, Jan 16, 2011 at 10:11:19AM +0200, Toni Ruottu wrote:
On Sun, Jan 16, 2011 at 6:56 AM, David Fifield <david () bamsoftware com> wrote:
On Sat, Jan 15, 2011 at 05:37:53PM +0200, Toni Ruottu wrote:
To this mail, I have attached a patch that should fix all the netbus
script problems that have been pointed out. I noticed that sometimes
dns-zone-transfer.nse breaks the session. As we know now NetBus
sessions are very fragile. Running any other scripts that operate on
the same port simultaneously is very likely to break the server. I did
not include a fix for this problem in the patch as I was not sure what
to do. Should we have all scripts that match port 12345 depend on all
netbus scripts? I also did not change any categories, as the question
is still open.

-portrule = shortport.version_port_or_service (12345, "netbus", {"tcp"})
+portrule = shortport.version_port_or_service ({}, "netbus", {"tcp"})

Is this a typo, Toni?

It is not a typo. The netbus-version script checks whether or not the
service responds to a netbus authentication message. Thus if the
service has already been detected as a netbus service and it does not
respond to authentication attempt, we know that it is not the official
service, and mark it as a Netbuster service. However we can not reason
much about some non-netbus service running on port 12345 that does not
respond to netbus authentication.

There are other differing characteristics as well, such as the
connection limit. A regular netbus server can handle more than one
connections, but Netbuster can only handle one. So trying to send
commands over multiple connections may be used to detect Netbuster. I
wrote another version script that does this test, but scanning for
connection limit is a bit complex, and I am not sure how reliable it
is in various cases. At some point it might make sense to write a
connection limit detection library, and use that to enhance version
script results. As for now I decided to go with the simpler script
that seems to work correctly.

Okay, I think I understand now. I interpreted that to mean that the
script will run on all ports, regardless of version detection status,
but it actually means that it will run on no ports, except those that
have already been classified as netbus.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]