Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Dual-stack (IPv4/6) bug/feature?
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 06 Jun 2012 14:49:49 -0500

I tested this using this tiny test script:

portrule = shortport.http

action = function(host, port)
  local uri = "/"
  local ret = http.get(host.targetname, port.number, uri)
  return ret['status-line']
end

I can confirm that on Linux 3.2.0, Nmap tries to connect via IPv6 for this script when a AAAA record is available, even when a IPv4 scan is requested. However, changing the http.get line to this:

local ret = http.get(host, port, uri)

...fixes the issue. Remains to be seen whether a check could be put in place (guessing in the Nsock bindings) to prevent this issue for other cases.

Dan

On 06/06/2012 02:12 PM, John Bond wrote:
Hi List,

I have noticed an issue with scanning host that is dual stacked. As in
it has both an A and AAAA record associated with the name.  The issue
occurs when a port is open on v4 but not v6.  When nmap scans the host
www.example.com by default will only scan A records (correct me if im
wrong).  However when an nse script using nsock passes the same
hostname  the AAAA record is preferred.  if the port is only open on
v4 then the script will fail.

here is the output from me running the one of the hadoop scripts
against a host which has the setup outlined above (real
addresses/hostnames have been altered) http://pastebin.com/eGPWiapd

I tried to trace this and im pretty sure it is in the nsock c code.
Although i have to admit it was a while since i last looked at this
and when i dug into the c code i got a bit lost.  Im not sure if this
is a bug or more precisely where the bug lies.  however i think a good
fix would be to ensure nsock prefers A records unless nmap is run with
the -6 flag.

It is difficult for me to test as i noticed the issue at work and i
dont have and ipv6 prefix at home.  That said if you want me to send
more information or try and find a simpler script which produces the
same problem let me know

john
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault