Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Ncat proposal: NCAT_TARGET environment variable
From: Jacek Wielemborek <wielemborekj1 () gmail com>
Date: Mon, 12 Aug 2013 12:50:27 +0200

2013/8/11 David Fifield <david () bamsoftware com>:
On Wed, Aug 07, 2013 at 08:36:06PM +0200, Jacek Wielemborek wrote:
While writing the ws.py demo for d33tah/ncat-env-ncatins branch, I
noticed I could use an environment variable that instead of holding
the IP address of the remote host would hold the hostname from the
command line. That would allow scripts that communicate with HTTP to
form a valid "Host: " header.

What do you think about such an addition? Would anybody else find any
use for it?

My initial reaction to this is to say "no," because what I think what
you are trying to achieve can be better done through a different
abstraction.

I would rather see something like this:
        websocket_abstraction = {
                connect = function(sock, host, port, secure)
                        sock:connect(host, port)
                        ...
                        sock:write("Host: " .. host .. "\r\n")
                end,
                write = function(...)
                        ...
                end,
                ...
        }
That is, a WebSocket (or other application layer) implementation should
not try to "take over the world" of Ncat's execution. Rather, it should
be a layer of Lua code called by existing Ncat C code.

In particular, I think that WebSocket is badly suited for an exec-like
implementation, and that it is a mistake to add features only to try to
coax exec into supporting WebSocket.

David Fifield

I just read your account on Websocket in Ncat on Secwiki, sorry I
didn't do it earlier. You raised some interesting points, I'd love to
discuss them further tomorrow; I have to admit that it somewhat
changes my perspective.

As for this particular issue, even if we skip Websocket as the reason
to introduce this feature, there's a whole family of HTTP scripts (and
perhaps other Internet scripts as well) that could use a clean DNS
name instead of IP. I still believe that NCAT_TARGET would be useful
then.
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]