Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Regarding VMWare and OpenSSH vulns
From: stripes <stripes () tigerlair com>
Date: Sat, 23 Jun 2012 16:46:16 -0400

Thanks for doing this. Kinda got caught up at work and couldn't attend the last meeting.

[deletia]
I've looked into metasploit's vmware scripts, and only two pre-auth
scripts are vmauth brute, which we already have, and ESX
fingerprinting which I've discussed above.

I must say that I'm somewhat disappointed as I can't say that any of
these vulns would be suitable for NSE scripts.

Maybe the original author of the idea on the ScriptIdeas page has some
further ideas?

That would be me. Unfortunately, no. I thought more of them wuld be remotely exploitable or easier to detect :(

There is really only one problem here. There weren't that many OpenSSH
vulns in the past 10 years.

Only vuln I could find that might be suitable for NSE script and
wasn't more than 10 years old was Tavis Ormandy's CRC DoS vuln from
2006 which would very well be detected by version matching.

Believe me, I am as sad as you are that there are no more OpenSSH vulns...
Again, if the original idea author has some specific ideas, please share.

I guess I'll go back to testing and see what other ideas. If nothing looks like it'll work for SSH or VMware, feel free 
to nix them. Figured it was worth a shot, but thanks for checking.

My thoughts were that even with the older vulns, there are still people running SSH implementations that are version 1, 
but we fingerprint those in Namp already--so there's probably no point to try to check for the CRC-32.

-Anne
--
If you don't know there's a        (\`--/') _ _______ .-r-.  
trampoline in the room, you're      >.~.\ `` ` `,`,`. ,'_'~`.          
not going to dust the ceiling for  (v_," ; `,-\ ; : ; \/,-~) \            
fingerprints. -Law & Order:SVU      `--'_..),-/ ' ' '_.>-' )`.`.__.')   
stripes at tigerlair dot com       ((,((,__..'~~~~~~((,__..'  `-..-'fL    
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]