Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: nmap-dev Digest, Vol 72, Issue 54
From: Kamal Banga <banga.kamal () gmail com>
Date: Wed, 23 Mar 2011 20:30:53 +0530

I am a second year CSE student. I have seen that many-a-times nmap users
have to do intense scans. I know CUDA and a bit about multithreaded
programming. How about developing multithreaded code for nmap. And after all
it will be a brand image for nmap! as now-a-days softwares use it. Like
Matlab is available in both single and multi threaded applications.
Kamal

On Wed, Mar 23, 2011 at 4:52 AM, <nmap-dev-request () insecure org> wrote:

Send nmap-dev mailing list submissions to
       nmap-dev () insecure org

To subscribe or unsubscribe via the World Wide Web, visit
       http://cgi.insecure.org/mailman/listinfo/nmap-dev
or, via email, send a message with subject or body 'help' to
       nmap-dev-request () insecure org

You can reach the person managing the list at
       nmap-dev-owner () insecure org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of nmap-dev digest..."


Today's Topics:

  1. Re: [NSE] Draft - targets-sniffer.nse (Toni Ruottu)
  2. Re: [NSE] Draft - targets-sniffer.nse (Nick Nikolaou)
  3. Re: [NSE] SSL Fingerprint Matching (David Fifield)
  4. Re: [NSE] Draft - targets-sniffer.nse (Patrick Donnelly)
  5. Information about IPv6 project. (Nikhil Jindal)
  6. Retrieving the current time via ICMP type 14 (Chris Datfung)
  7. Re: Retrieving the current time via ICMP type 14 (jaydeep)
  8. Default user agent patch (Hani Benhabiles)


----------------------------------------------------------------------

Message: 1
Date: Tue, 22 Mar 2011 21:17:39 +0200
From: Toni Ruottu <toni.ruottu () iki fi>
Subject: Re: [NSE] Draft - targets-sniffer.nse
To: Nick Nikolaou <nikolasnikolaou1 () gmail com>
Cc: nmap-dev () insecure org
Message-ID:
       <AANLkTinmWRG9wqtoWntVtwajeaxXAVf8sn13o4j040od () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

This thing is cool!

It fails unless you are root, for understandable reasons. Do we have
some kind of policy for scripts that require root? I think there
should be a way for scripts to report this to nmap, and nmap should
probably abort the scan if the user is has request root features while
being nonroot. I am not sure, if this is possible at the moment. I am
not sure I understand the big picture.

It would be useful for the final version to take a filter argument
that is used to filter out noise. Maybe we want to scan all service
that one host is accessing, or maybe we want to scan all hosts that
are accessing some service. I think there are some standard languages
for defining such packet filtering. We should probably implement them
in a library rather than each script specifically. What filtering
languages do we want to use? Do we already have support for one of
them?

On Tue, Mar 22, 2011 at 8:44 PM, Nick Nikolaou
<nikolasnikolaou1 () gmail com> wrote:
Hello everyone,

Attached is a draft of a targets-sniffer script. The script sniffs for a
configured amount of a time and adds addresses from packets it sees in
newtargets. (https://secwiki.org/w/Nmap_Script_Ideas#targets-sniffer)

The script still needs work but I was hoping to get some feedback from
the
list.

Example usage:
nmap -sL --script targets-sniffer.nse --script-args=newtargets

This will perform a list scan on the IP addresses it sniffs, ignoring
duplicates and broadcasts. (You can use -d to see the IP addresses as
they
are sniffed)


*Issues that need to be resolved:*

1) The sniffing interface is hard-coded at the moment. Is there a way to
get
the active interface in a prerule script? Alternatively I could change
the
rule to a hostrule. (and maybe a high enough runlevel to ensure the
script
runs first?)

2) The pcap socket doesn't time out. ?The only way I got it to timeout
was
to set the timeout value to <=1s. Even then if it sniffed a packet it
wouldn't timeout. I ended up using a temporary nmap.clock() based
solution
in order to test the script.

3) I'm not really happy with the way the script extracts the IP addresses
from the packets at the moment.

4) Any other issues you find.

Thanks for any feedback.
Nick

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



------------------------------

Message: 2
Date: Tue, 22 Mar 2011 19:46:05 +0000
From: Nick Nikolaou <nikolasnikolaou1 () gmail com>
Subject: Re: [NSE] Draft - targets-sniffer.nse
To: Toni Ruottu <toni.ruottu () iki fi>
Cc: nmap-dev () insecure org
Message-ID:
       <AANLkTikH_v=9n8_ijiweryUYDNm=yh9VMs4efHp1-X0j () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

Thanks for the quick replies guys.

I can't look into the other issues you mention about the script right now,
but
glancing at it I see you aren't using the Packet nselib.  Look at
nselib/packet.lua and the various raw packet scripts (ipidseq, qscan,
path-mtu, firewalk) to see how to use it (the nselib provides more than
what
scripts use right now IIRC).


For this you should use the packet library:
http://nmap.org/nsedoc/lib/packet


Thanks. I did see other scripts using the Packet library but I was having
trouble getting the IP addresses. I guess I have some more reading to do.


We don't have a way for scripts to get the list of interfaces, but
Djalal has a patch to do it: http://seclists.org/nmap-dev/2011/q1/291.
It hasn't been added yet because there isn't a script to use it, but you
can make it a part of your patch if it helps.


 I'll see if/how I could incorporate that, thanks.


 On 22 March 2011 19:17, Toni Ruottu <toni.ruottu () iki fi> wrote:



It fails unless you are root, for understandable reasons.


I forgot to mention that. I'll make sure I add it to the description field.

Nick

On 22 March 2011 19:17, Toni Ruottu <toni.ruottu () iki fi> wrote:

This thing is cool!

It fails unless you are root, for understandable reasons. Do we have
some kind of policy for scripts that require root? I think there
should be a way for scripts to report this to nmap, and nmap should
probably abort the scan if the user is has request root features while
being nonroot. I am not sure, if this is possible at the moment. I am
not sure I understand the big picture.

It would be useful for the final version to take a filter argument
that is used to filter out noise. Maybe we want to scan all service
that one host is accessing, or maybe we want to scan all hosts that
are accessing some service. I think there are some standard languages
for defining such packet filtering. We should probably implement them
in a library rather than each script specifically. What filtering
languages do we want to use? Do we already have support for one of
them?

On Tue, Mar 22, 2011 at 8:44 PM, Nick Nikolaou
<nikolasnikolaou1 () gmail com> wrote:
Hello everyone,

Attached is a draft of a targets-sniffer script. The script sniffs for
a
configured amount of a time and adds addresses from packets it sees in
newtargets. (https://secwiki.org/w/Nmap_Script_Ideas#targets-sniffer)

The script still needs work but I was hoping to get some feedback from
the
list.

Example usage:
nmap -sL --script targets-sniffer.nse --script-args=newtargets

This will perform a list scan on the IP addresses it sniffs, ignoring
duplicates and broadcasts. (You can use -d to see the IP addresses as
they
are sniffed)


*Issues that need to be resolved:*

1) The sniffing interface is hard-coded at the moment. Is there a way
to
get
the active interface in a prerule script? Alternatively I could change
the
rule to a hostrule. (and maybe a high enough runlevel to ensure the
script
runs first?)

2) The pcap socket doesn't time out.  The only way I got it to timeout
was
to set the timeout value to <=1s. Even then if it sniffed a packet it
wouldn't timeout. I ended up using a temporary nmap.clock() based
solution
in order to test the script.

3) I'm not really happy with the way the script extracts the IP
addresses
from the packets at the moment.

4) Any other issues you find.

Thanks for any feedback.
Nick

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/




------------------------------

Message: 3
Date: Tue, 22 Mar 2011 12:47:01 -0700
From: David Fifield <david () bamsoftware com>
Subject: Re: [NSE] SSL Fingerprint Matching
To: Mak Kolybabi <mak () kolybabi com>
Cc: nmap-dev <nmap-dev () insecure org>
Message-ID: <20110322194700.GW27978 () gusto bamsoftware com>
Content-Type: text/plain; charset=us-ascii

On Sun, Mar 20, 2011 at 10:13:40PM -0500, Mak Kolybabi wrote:
On 2011-02-22 13:24, David Fifield wrote:
To save space, how about storing hashes in the database without colons
separating bytes? They can continue to be shown in output.

The script now has a function that adds the colons back in when the file
is read
in.

The output looks like this:

    |_ssl-known-key:
00:28:E7:D4:9C:FA:4A:A5:98:4F:E4:97:EB:73:48:56:07:87:E4:96 is in the
database with reason Little Black Box 0.1.

Please change it to be

    |_ssl-known-key: Found in Little Black Box 0.1 -
http://code.google.com/p/littleblackbox/ (certificate hash:
00:28:E7:D4:9C:FA:4A:A5:98:4F:E4:97:EB:73:48:56:07:87:E4:96)

This will give users a little more context if they don't know what the
script is for.

The script output has been flipped around to match the second format.

Related to that, it would be nice if the description string didn't have
to be
repeated for hashes with the same description. Could the data file be
reworked
into something like this:

[Little Black Box 0.1 - http://code.google.com/p/littleblackbox/]
00:28:E7:D4:9C:FA:4A:A5:98:4F:E4:97:EB:73:48:56:07:87:E4:96
00:3A:E5:45:D6:9C:47:FB:1C:C2:53:59:AA:D7:54:62:D6:D7:89:90
00:3C:F1:AB:48:B4:6C:41:5E:48:15:10:3F:F8:28:AC:7C:60:D5:51

The script has been changed to accept sections in square brackets. Any
fingerprint before the first section is ignored and a warning is printed.

Thanks for finishing this and for writing the script in the first place.
It's always a pleasure to work with your code. I've just committed it.

David Fifield


------------------------------

Message: 4
Date: Tue, 22 Mar 2011 15:53:56 -0400
From: Patrick Donnelly <batrick () batbytes com>
Subject: Re: [NSE] Draft - targets-sniffer.nse
To: Toni Ruottu <toni.ruottu () iki fi>
Cc: Nick Nikolaou <nikolasnikolaou1 () gmail com>, nmap-dev () insecure org
Message-ID:
       <AANLkTik5P4UgM2Z8m5uR5n4fLmcu9pNdcUakNRUcu2ER () mail gmail com>
Content-Type: text/plain; charset=UTF-8

On Tue, Mar 22, 2011 at 3:17 PM, Toni Ruottu <toni.ruottu () iki fi> wrote:
This thing is cool!

It fails unless you are root, for understandable reasons. Do we have
some kind of policy for scripts that require root?

Well, ideally you would just throw an error in the script if you don't
have root, something like:

if not nmap.is_privileged() then error "i require r00t" end

we could even make that an (empty) module to require:

require "root"

I think in the past we decided it was decided that errors thrown this
way can't be used because it ends up aborting the entire scan. In
earlier versions of NSE, this would actually occur in the middle of a
scan which made it *really* annoying. Now we have NSE loaded at Nmap
startup so this isn't quite as big an issue.

I myself would like to see these types of errors ignored by NSE (as
in, "the script isn't broken, but it can't run for X reason").
Currently, as an example, we have these awkward constructions in
mysql-brute.nse:

-- ripped from ssh-hostkey.nse
-- openssl is required for this script
if not pcall(require,"openssl") then
   portrule = function() return false end
   action = function() end
   stdnse.print_debug( 3, "Skipping %s script because OpenSSL is missing.",
       SCRIPT_NAME)
   return;
end

I think it should be possible to modify (hook) require so that these
types of errors remain silent (except with debugging == 3).

I think there
should be a way for scripts to report this to nmap, and nmap should
probably abort the scan if the user is has request root features while
being nonroot. I am not sure, if this is possible at the moment. I am
not sure I understand the big picture.

We could make it so if a user requests a script "by name" that Nmap
aborts the scan when a required feature is missing, e.g. openssl or
r00t. This is similar to how we increase the verbosity when the script
is specified "by name" on the command line.

--
- Patrick Donnelly


------------------------------

Message: 5
Date: Wed, 23 Mar 2011 02:16:23 +0530
From: Nikhil Jindal <dcenikhil () gmail com>
Subject: Information about IPv6 project.
To: nmap-dev () insecure org
Message-ID:
       <AANLkTi=Fp5G7DBaftQTbyq7mbYcpL_MJhbtHZgU5f-4W () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

Hi

I am Nikhil Jindal, pursuing B.Tech in Information Technology. I have deep
interest in networking and I want to work for nmap as a GSoc intern. I have
proficiency working with C/C++ and I have worked on network manager of
Linux
kernel. I have also implemented some small projects in networking just out
of interest. I would like to know more about this project "IPv6 Expert".
Please let me know the requirements that I need to have to be capable to
work on this project.

Regards,

Nikhil Jindal


------------------------------

Message: 6
Date: Tue, 22 Mar 2011 23:36:35 +0200
From: Chris Datfung <chris.datfung () gmail com>
Subject: Retrieving the current time via ICMP type 14
To: nmap-dev () insecure org
Message-ID:
       <AANLkTim_jq1DT1_w9cmB-gbrC+m+G2-apAJi0fbqZWzh () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

Can nmap display the current time from a remote host that has ICMP
timestamps open? The -PP option does not include this in its open strangely
enough.

Thanks,
Chris


------------------------------

Message: 7
Date: Wed, 23 Mar 2011 04:02:40 +0530
From: jaydeep <jaydeepkhandelwal () gmail com>
Subject: Re: Retrieving the current time via ICMP type 14
To: nmap-dev () insecure org
Message-ID:
       <AANLkTinfK8YvW=kxwJFwR3CvnmfWzzuLePRi+M1Am4qp () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

nmap also does not provide victim host name if victim is on linux machine.



On Wed, Mar 23, 2011 at 3:06 AM, Chris Datfung <chris.datfung () gmail com
wrote:

Can nmap display the current time from a remote host that has ICMP
timestamps open? The -PP option does not include this in its open
strangely
enough.

Thanks,
Chris
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/




--
Jaydeep Khandelwal
Btech 3rd year
IIIT Hyderabad


------------------------------

Message: 8
Date: Wed, 23 Mar 2011 00:22:10 +0100
From: Hani Benhabiles <kroosec () gmail com>
Subject: Default user agent patch
To: nmap-dev () insecure org
Message-ID:
       <AANLkTikUaevwRK2SY5P3w=3AmCxspyqEH_Vd2xjsSM1V () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

Hi list,

I've noticed that in the http nselib the default user agent is hard coded
as
"Mozilla/5.0 (compatible; Nmap Scripting Engine;
http://nmap.org/book/nse.html)"
this could be easily detected by an IDS/IPS.

I've attached a patch that changes it to the user agent pfa Firefox 3.6 web
browser on a Windows 7 machine.
This would make the http traffic generated look more authentic.

Hani
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http.lua.patch
Type: text/x-diff
Size: 685 bytes
Desc: not available
URL: <
http://cgi.insecure.org/mailman/private/nmap-dev/attachments/20110323/fc1ae7f0/attachment.bin


------------------------------

_______________________________________________
nmap-dev mailing list
nmap-dev () insecure org
http://cgi.insecure.org/mailman/listinfo/nmap-dev


End of nmap-dev Digest, Vol 72, Issue 54
****************************************

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]