mailing list archives
Re: [nmap-svn] r21714 - nmap/todo
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Wed, 12 Jan 2011 18:53:27 +0100
On 01/12/2011 07:48 AM, commit-mailer () insecure org wrote:
+o If Nping is compiled w/o SSL support, and the user specifies an
+ encryption key, it should fail and insist they use --no-crypto
+ rather than ignoring the key and omitting crypto. Otherwise the
+ user might think they're getting encryption when they're not. David
+ found this problem in the server, and we also should check how the
+ client behaves.
That makes sense. I can solve this easily but first I want your opinion
When users specify "--echo-client/server <passphrase>" the passphrase is
a mandatory argument. Users can, however, specify a NULL passphrase running:
nping --echo-client "" echo.nmap.org
The passphrase being NULL does not mean that crypto is not used; only
that the encryption key is derived from a bunch of zeroes. So you may be
wondering, if passphrases can be NULL why is the parameter mandatory?
why don't we make it optional and allow users to simply pass
"--echo-client"? Well, the reason why I chose to make it mandatory is
because otherwise, the target host would have to be supplied before the
"--echo-client" flag, which seems a bit counter-intuitive to me. If I
make the argument optional, the argument parser will consider the
"echo.nmap.org" in the following example, as the passphrase, not as a
hostname, and will complain about a missing target server.
nping --echo-client echo.nmap.org
So the thing is that if Nping is compiled without OpenSSL and we make
users pass "--no-crypto", they still need to supply a passphrase, which
is also a bit counter-intuitive.
nping --echo-client "unused_passphrase" echo.nmap.org --no-crypto
So, what do we do? We could:
1. Make the passphrase an optional parameter and make users supply the
hostname before "--echo-client" or "--echo-server".
2. Leave it as a mandatory parameter and just warn the user if
"--no-crypto" was not supplied and there is no OpenSSL.
I'd go for number 2 because passing a passphrase is what users should
normally do, but I'm open to other opinions. What do you think?
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/
- Re: [nmap-svn] r21714 - nmap/todo Luis MartinGarcia. (Jan 12)