Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] How brute scripts and UN/PW scripts interact with creds
From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 29 Dec 2011 19:41:24 +0100

On Thu, Dec 29, 2011 at 7:12 PM, David Fifield <david () bamsoftware com>wrote:

On Wed, Dec 28, 2011 at 09:38:16PM -0500, Brendan Byrd wrote:
On Wed, Dec 28, 2011 at 11:00 AM, Patrik Karlsson <patrik () cqure net>

Make sure to check out the latest snmp-brute that was committed a few

Looking at it now.  Looks like it's just changes to the community string
reader, so I'm try to get that merged in with my own code.

At first I thought: wouldn't you achieve this by putting these 7-8
community strings in a community dictionary file
and running snmp-brute and whatever other snmp script you would like
from? As all snmp scripts should depend on snmp-brute it should find
proper string and have it for the other scripts running once it

Besides the thing below, there's another problem: snmp-brute, and in
probably most of the brute scripts, don't appear to be "thread safe".
We're talking when NMap executes 128 brute scripts for 128 hosts.  The
sending of packets appear to work just fine.  However, when a
receiver thread tells pcap that it needs to find a specific packet from
host, Pcap will happily discard all of the good responses from every
host until it has found the right packet for the host that this single
thread is worried about.

There's no real way of fixing this via Lua.  The script is just executing
code similar to this:

pcap:pcap_open(host.interface, 104, false, "src host " .. host.ip .. "
udp and port " .. port.number)
-- Yay, mass discards!
local status, plen, l2, l3, _ = pcap:pcap_receive()

Are you sure about this? The pcap bindings have been designed not to
have the problem you describe. I did a test with two scripts that
capture all packets using a filter string of "ip", and both the scripts
see the same packets, even when run at the same time.

I attached the scripts. I ran them like this:
$ sudo ./nmap -e eth0 --script=test-a,test-b -d2

Does the same thing happen when you do 20 simultaneous hosts, rather
than 128? I can more easily imagine that is is caused by a limit on the
number of BPF handles or something like that.

David Fifield

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

I guess the change I made, adding the source port to the BPF filter doesn't
Anyway, I'm having trouble running your scripts as they instantly crash, it
seems to be a problem in the packet library.
I think I've tracked it down to a SSL session to twitter. Any TCP/IP guru
that would like to debug?

Patrik Karlsson
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]