Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE][patch] Add AUTH_UNIX to rpc.lua, let nfs-* run without portmapper
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 19 Jun 2012 12:48:32 -0500

On 06/18/2012 05:06 PM, Daniel Miller wrote:
On 04/20/2012 08:00 AM, Patrik Karlsson wrote:


On Thu, Apr 5, 2012 at 2:31 PM, Daniel Miller <bonsaiviking () gmail com <mailto:bonsaiviking () gmail com>> wrote:

    List,

    I've just finished enhancing the nfs-ls, nfs-statfs, and
    nfs-showmount
    scripts so that they can run based on version detection information,
    for cases where the portmapper is firewalled. For nfs-ls and
    nfs-statfs, this required making a hostrule to check that both a
    mountd service and a nfs service were detected. In the process, I
    ended up adding the AUTH_UNIX flavor to rpc.lua, since the RFC states
    that AUTH_NULL can only be used for the NULL procedure (and my Linux
    nfs-kernel-server was enforcing that).

    Other minor changes:

    * If running privileged, attempt to bind to a reserved port. Many NFS
    servers refuse to talk to source ports >1024, as a "security measure"
    * handle an odd case in nfs-ls where READDIRPLUS does not return file
    attributes. Chose to use all ?'s, but in the future maybe a direct
    GETATTR call?
    * remove reference to nfs.dirlist argument from nfs-ls doc, since
    it is unused

    Hope you like it!

    Dan

    _______________________________________________
    Sent through the nmap-dev mailing list
    http://cgi.insecure.org/mailman/listinfo/nmap-dev
    Archived at http://seclists.org/nmap-dev/


Does anyone have a suitable environment to test Daniels improvements?
I currently don't, but could likely set one up if nobody else has the possibility to test.
It would be great to get these changes committed.

Cheers,
Patrik
--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77


I haven't heard anything, positive or negative, regarding testing on this patch, though I got lots of publicity when I requested testers on Twitter. I'm attaching an updated patch that applies to the current SVN versions of these scripts and libraries (Some lua-formatting had changed things around). I'd appreciate a second look, since I haven't run into any issues, and people may be falsely thinking their NFS setup is secure since Nmap can't currently get access.

Dan
I've tested this so far with Linux kernel NFS server and Solaris 10 NFS server, with no issues. Scripts tested were rpcinfo, nfs-showmount, nfs-ls, and nfs-statfs.

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault