Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [nmap-svn] r21714 - nmap/todo
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Wed, 12 Jan 2011 18:53:27 +0100


On 01/12/2011 07:48 AM, commit-mailer () insecure org wrote:
+o If Nping is compiled w/o SSL support, and the user specifies an
+  encryption key, it should fail and insist they use --no-crypto
+  rather than ignoring the key and omitting crypto.  Otherwise the
+  user might think they're getting encryption when they're not.  David
+  found this problem in the server, and we also should check how the
+  client behaves.

That makes sense. I can solve this easily but first I want your opinion
on something.

When users specify "--echo-client/server <passphrase>" the passphrase is
a mandatory argument. Users can, however, specify a NULL passphrase running:

nping --echo-client "" echo.nmap.org

The passphrase being NULL does not mean that crypto is not used; only
that the encryption key is derived from a bunch of zeroes. So you may be
wondering, if passphrases can be NULL why is the parameter mandatory?
why don't we make it optional and allow users to simply pass
"--echo-client"?  Well, the reason why I chose to make it mandatory is
because otherwise, the target host would have to be supplied before the
"--echo-client" flag, which seems a bit counter-intuitive to me. If I
make the argument optional, the argument parser will consider the
"echo.nmap.org" in the following example, as the passphrase, not as a
hostname, and will complain about a missing target server.

nping --echo-client echo.nmap.org

So the thing is that if Nping is compiled without OpenSSL and we make
users pass "--no-crypto", they still need to supply a passphrase, which
is also a bit counter-intuitive.

nping --echo-client "unused_passphrase" echo.nmap.org --no-crypto

So, what do we do? We could:

 1. Make the passphrase an optional parameter and make users supply the
hostname before "--echo-client" or "--echo-server".
 2. Leave it as a mandatory parameter and just warn the user if
"--no-crypto" was not supplied and there is no OpenSSL.
 3. ??

I'd go for number 2 because passing a passphrase is what users should
normally do, but I'm open to other opinions. What do you think?


Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]