mailing list archives
Introducing the 2011 Nmap/Google Summer of Code Team
From: Fyodor <fyodor () insecure org>
Date: Mon, 25 Apr 2011 15:02:24 -0700
Hello everyone. The Nmap Project received a spectacular bunch of
Summer of Code proposals this year, and I'm happy to report that
Google has agreed to sponsor seven of them to spend this summer
enhancing the Nmap Security Scanner! In previous summers we have
sponsored students to develop related tools such as Ncat, Nping, and
Ncrack, but this year we're focused on Nmap proper. We have three
students working on the Nmap Scripting Engine, two on IPv6, and two
general feature creepers and bug wranglers. I'm delighted to
introduce the 2011 team!
==Nmap Scripting Engine==
The Nmap Scripting Engine, first created with GSoC student Diman
Todorov in 2006, has become one of Nmap's most powerful and popular
features. It allows users to write (and share) simple scripts to
automate a wide variety of networking tasks. We now have almost 200
scripts, all documented at the NSEDoc Reference Portal
(http://nmap.org/nsedoc/). A main focus of previous years has been
improving the NSE engine and infrastructure, but this year we're going
all-out with script creation! We have chosen three SoC students to
assist with the task:
*Djalal Harouni* was a SoC student last year, and we're delighted to
have him back! He previously added important NSE features such as
prerule/postrule support and the target library (which allows newly
discovered hosts to be added by NSE scripts to Nmap's scan queue).
Djalal (AKA tixxdz) also wrote a number of valuable scripts, including
nfs-ls and nfs-statfs. This summer he will be focusing on
vulnerability and exploitation scripts to help administrators discover
weaknesses in their networks before the bad guys do. Djalal is
pursuing a PhD in Computer Science at Mentouri University in
Constantine, Algeria. He will be mentored by Henri Doreau, who has
written many great NSE scripts himself.
*Gorjan Petrovski* will be working on discovery (and miscellaneous)
NSE scripts. He is rather new to Nmap and NSE, but has already done
some great work. In particular, we have already integrated his
backorifice-info script, which provides detailed information about any
discovered instances of the backorifice backdoor. Gorjan is hoping to
graduate this year from Ss. Cyril & Methodius University in Skopje,
Macedonia with a BSc in Computer Systems Engineering and Automation.
He will be mentored by Lua expert Patrick Donnelly, who was himself a
GSoC student in '08 and '09.
*Paulino Calderon* will spend the summer improving Nmap's web scanning
support. Nmap already offers many http/https scripts, but there is
much room for improvement. The web has grown to dominate the
Internet, so it is critical that Nmap help keep people's web sites
secure. Paulino is pursuing a BSc in computer science at Canada's
University of Victoria. He has written open source web scanning
software such as the web discovery tool PHP-spdr, and has also had
code accepted into the Metasploit framework. As a penetration tester,
he has used Nmap extensively. He will be mentored by Fyodor.
All the NSE students will also have the support of NSE script
developer Mak Kolybabi as backup mentor.
The IANA has run out of IPv4 addresses to allocate and the regional
registries are expected to deplete their reserves within months. The
competition for scarce IPv4 addresses is already heating up. Various
hacky techniques (NAT, SSL SNI, name-based hosting, etc.) have been
developed to conserve IPv4 addresses, but IPv6 is the only practical
solution for fundamentally expanding the address space. Nmap was an
early IPv6 adopter, with initial support added in August 2002. But
there is a lot more Nmap could do in this regard, and Google has
sponsored two Summer of Code students to help us get there. Their
primary projects will be researching and implementing OS detection and
advanced host discovery techniques for IPv6. Nmap co-maintainer and
IPv6 expert David Fifield will be mentoring both of them:
*Luis MartinGarcia* did a great job implementing the Nping packet
generation and response analysis tool (http://nmap.org/nping/) as a
SoC student in 2009 and 2010, and we're happy to have him back this
year. He has already been researching IPv6 as a masters/PhD student
at the Polytechnic University of Madrid, and has come up with some
great ideas for host discovery.
*Xu Weilin* is an IPv6 expert in China who helped write an open source
IPv6 NAT project and has already come up with some great IPv6 Nmap OS
detection ideas. He is pursuing a BSc in Computer Science at Beijing
University of Posts and Telecommunications.
==Feature Creepers and Bug Wranglers==
There are many Nmap bugs and desired features which are quite
important but take much less than a whole summer to implement. Some
may only take hours, while others could take weeks or even a
month. The feature creeper and bug wranglers handle many such tasks
during the summer. This lets them explore and contribute to a wide
variety of the Nmap code base rather than spending the whole summer
working on just one subsystem. I'm happy to report that we have two
excellent SoC students (both to be mentored by David Fifield) filling
*Colin Rice* is an Eagle Scout and National Merit Scholar attending
Rensselaer Polytechnic Institute in Troy, New York. He is
particularly proficient in C++ and Python, which is perfect for Nmap
and Zenmap work. His previous work includes a zombie invasion
simulator, so I'm glad we have him on the team just in case.
*Shinnok* is an experienced open source developer whose recent
projects include a Netcat GUI (http://shinnok.com/projects.php). He
has also discovered numerous vulnerabilities and written quite a few
exploits. He is pursuing a BSc in Computer Science at A. I. Cuza
University in Iasi, Romania.
This is the Nmap Project's seventh year participating in the Google
Summer of Code. If you enjoy the Zenmap GUI, Ncat, Ndiff, Nping,
Ncrack, or the Nmap Scripting Engine, you're using features developed
in a large part by previous Summer of Code students. Full-time coding
starts May 23, but we have already started project brainstorming and
planning. Some participants may use this community bonding period to
get an early start on coding, while others will focus on testing Nmap
and reading the code and documentation.
Please join us in welcoming this new team of Nmap SoC students! Most
of the development will be done on the nmap-dev list, where everybody
is encouraged to participate in coding, suggesting ideas, testing,
etc. With a team like this, we can't help but expect great things for
the summer of 2011!
I'd also like to offer big thanks to Google for putting another six
million dollars (over all projects) into open source development this
summer! You can read about all the other organizations and their
accepted students from http://bit.ly/gsocall.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/
- Introducing the 2011 Nmap/Google Summer of Code Team Fyodor (Apr 25)