Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: GSoC 2011: NSE Script Development
From: Gorjan Petrovski <mogi57 () gmail com>
Date: Wed, 6 Apr 2011 16:29:29 +0200

Hello,

I have a working backorifice-info script now, but there are a few
details that need to be modified and for that I will need your help.
Please find it in the attachment. Any and all comments and critiques
are welcomed. I could supply a public virtual machine (with a limited
bandwidth) with the service installed if needed.

A quick use command:
nmap -sn -Pn --script ./backorifice-info.nse --script-args
'backorifice-info.port=<port_number>,backorifice-info.password=<password>'
<target>

The sample output is copied directly from console. As you can see the
output is not formatted yet, however I've organized the script so that
adding more commands, and formatting the output should be pretty
simple (adding rows to the "cmds" table and a formatting function).
I'm going to do this right after this mail is sent.

If there is no information about a certain category (ex. no plugins
installed), should the script return no information at all in that
category, or should it return info that there are no plugins
installed?

The BackOrifice service listens on a UDP port and every packet is
encrypted, even if a password is not supplied. The service is easily
configurable to any port and any password, so the only way to reliably
detect it would be to send an encrypted command with the correct
password to the specific port. Currently the script gets the port
number as an explicit argument and it just doesn't feel right. Having
these things in mind, should I tie it to a portrule with the default
port - 31337, as well as a hostrule?  Should I tie it to OS detection?

Which categories should I add it to?

I'll update the Script_Ideas page with the output as soon as I define it.

Cheers,
Gorjan

On Tue, Apr 5, 2011 at 4:04 PM, Gorjan Petrovski <mogi57 () gmail com> wrote:
Thanks. I actually got it working with a small optimization before I
checked my mail. Sorry for the fuss.

On Tue, Apr 5, 2011 at 5:36 AM, David Fifield <david () bamsoftware com> wrote:
On Tue, Apr 05, 2011 at 04:31:20AM +0200, Gorjan Petrovski wrote:
I'm currently implementing the encryption for the backorifice-info
script, and I have a problem with the multiplication of numbers which
are too large for lua. Is there currently a workaround for that kind
of problem in Nmap, like lua-bc
http://penlight.luaforge.net/packages/lbc.html , or should I just hack
around some kind of multiplication function which will do the trick
for me?

There are bignum routines in the openssl library. Unfortunately I don't
see a multiply function, but that's probably because we just haven't
defined a binding to it. So I would say, see if you can add a binding in
nse_openssl.cc (you can probably mostly copy the l_bignum_add function).

David Fifield


Attachment: backorifice-info.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault