Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Nping->payload in --tcp-connect mode
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Tue, 20 Dec 2011 00:02:09 +0100

On 12/19/2011 10:32 PM, Remo the Last wrote:

hello anyone, this is my first post on this list.
My name is Marco (Re | Remo the Last | RemotheLast) and it is a pleasure to be part of it.

So, I post on the list for the specific application Nping.
I often use packet generators for my tests on local devices or few times (not very ethical) remote devices just to 
have a true prove of what I am doing. I use scapy (so python) and I have a good experience on net scanners using 
Perl. I am not the best on both languages but I can say my programs are perfectly working.

Nping is a good packet generator but I found it has a limitation on the argument --tcp-connect because it does not 
allow any payload to send. If I use the argument -tcp there is a payload but there is no connection with the server. 
I understand the reasons of these two arguments: 1) Nping is a prober based on packet crafting 2) Nping analyses the 
answers of the remote devices.

Using scapy I have created a software that connects to a remote device (on any tcp port) and floods it using a raw 
stream. So, I flood the remote port with an unlimited number of packets using a tcp connection. It is more than a 
simple flooder. Very often I get the remote down on port 23 and 53 (other ports are vulnerable but have to be 
tested). Using this program I found that many Cisco devices are very vulnerable to my attack and other brands are 
vulnerable to this attack even on secure connections they try to provide. This program is made using scapy, and 
inside of it, I create a crafted payload that i can use for specific injections. And it works.

So, the question is: "Is it possible to create a function for Nping that permits to send any specific payload using 
the --tcp-connect argument?"

I can say it would reduce (at max) my program because Nping, with this argument I am suggesting, will does it all !

Hi Marco,

I have implemented that functionality on an experimental branch of Nping
(revisions r27556 r27557 and r27558). The branch is called
nping-bugfixes and is in /nmap-exp/luis/nping-bugfixes in Nmap's SVN
repo. You can give it a try if you want, but the code is still buggy and
there is a lot of functionality that has not been implemented yet.

However, note that future versions of Nping will implement payloads for
--tcp-connect mode so you can always wait until the experimental branch
gets merged into trunk.

Best regards,

Luis MartinGarcia.

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]