Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] How brute scripts and UN/PW scripts interact with creds
From: David Fifield <david () bamsoftware com>
Date: Thu, 29 Dec 2011 10:12:25 -0800

On Wed, Dec 28, 2011 at 09:38:16PM -0500, Brendan Byrd wrote:
On Wed, Dec 28, 2011 at 11:00 AM, Patrik Karlsson <patrik () cqure net> wrote:

Make sure to check out the latest snmp-brute that was committed a few days

Looking at it now.  Looks like it's just changes to the community string DB
reader, so I'm try to get that merged in with my own code.

At first I thought: wouldn't you achieve this by putting these 7-8
community strings in a community dictionary file (snmp-brute.communitiesdb)
and running snmp-brute and whatever other snmp script you would like output
from? As all snmp scripts should depend on snmp-brute it should find the
proper string and have it for the other scripts running once it finishes.

Besides the thing below, there's another problem: snmp-brute, and in fact,
probably most of the brute scripts, don't appear to be "thread safe".
We're talking when NMap executes 128 brute scripts for 128 hosts.  The
sending of packets appear to work just fine.  However, when a host-specific
receiver thread tells pcap that it needs to find a specific packet from its
host, Pcap will happily discard all of the good responses from every other
host until it has found the right packet for the host that this single
thread is worried about.

There's no real way of fixing this via Lua.  The script is just executing
code similar to this:

pcap:pcap_open(host.interface, 104, false, "src host " .. host.ip .. " and
udp and port " .. port.number)
-- Yay, mass discards!
local status, plen, l2, l3, _ = pcap:pcap_receive()

Are you sure about this? The pcap bindings have been designed not to
have the problem you describe. I did a test with two scripts that
capture all packets using a filter string of "ip", and both the scripts
see the same packets, even when run at the same time.

I attached the scripts. I ran them like this:
$ sudo ./nmap -e eth0 --script=test-a,test-b -d2

Does the same thing happen when you do 20 simultaneous hosts, rather
than 128? I can more easily imagine that is is caused by a limit on the
number of BPF handles or something like that.

David Fifield

Attachment: test-a.nse

Attachment: test-b.nse

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]