Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] network interfaces
From: Ron <ron () skullsecurity net>
Date: Sun, 27 Feb 2011 19:18:06 -0600

Hash: SHA1


One month late, but I wanted to say - this sounds handy. I've run into the issue of needing info on an interface 
multiple times (though I can't remember where, DHCP was likely involved) and it'd be great to have an easier way to 
handle that! 


On Thu, 27 Jan 2011 20:02:18 +0100 Djalal Harouni <tixxdz () opendz org> wrote:
Hi list,

Trying to close an old thread:

The patch 'nse_get_interface.diff' introduce two new functions.
The first one:
nmap.get_interface() to get the interface that Nmap is using, this can
be the interface that was specified with the '-e' option or the
interface attached to the address specified with the '-S' option.
This function is for the prerule scripts.

The second function:
nmap.get_interface_info() to get the interface information.
After some reflexions, I think that we should return only the
information of the interface specified as an argument, since most
scripts will be interested in one interface, there is no need to
return a list of the available interfaces. Script writers can get the
apropriate interface name from:
* prerule mode: the above mentioned nmap.get_interface()
* hostrule, portrule modes: host.interface of the host table.
This function should replace 'nmap.get_interface_link()', used only by
the sniffer-detect.nse script.

I must also point out that in NSE the host.interface field will be set
only if we are doing a raw scan, which is the default if we have the
apropriate privileges.
(a raw scan is a scan with raw sockets, ethernet or pcap stuff)

Speaking about the 'host.interface' field can some one tell us why it
has the value of the devname instead of devfullname ?

A script 'get_interface.nse' is attached to show how we can use these
new functions.

The final patch is a simple one for libnetutil and Nping, I've found
that some functions assume that the 'devname' and 'devfullname' fields
of the 'interface_info struct' (file: libnetutil/netutil.h line: 224)
are 16 bytes length, and others assume that they are 32 bytes length.
'devname' field in the Target.h file of nmap, line 323 is 32, so this
is a *quick* patch. but perhaps it can break some code in Nping
(function: getinterfaces_inet6_linux() of file: nping/utils_net.cc).

The output of the get_interface.nse test script:
# ./nmap -PN --datadir . --script get_interface.nse -n
scanme.nmap.org -e eth0 -p80

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-01-27 20:15 CET
Pre-scan script results:
| get_interface: 
|   interface: eth0
|   link: ethernet 
|   address:
|   broadcast:
|_  netmask: 24
Nmap scan report for scanme.nmap.org (
Host is up (1.3s latency).
80/tcp open  http
| get_interface: 
|   interface: eth0
|   link: ethernet 
|   address:
|   broadcast:
|_  netmask: 24

Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds

Version: GnuPG v1.4.9 (GNU/Linux)

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]