Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: IPMI scripts (ipmi-version.nse and ipmi-cipher-zero.nse)
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 18 Jul 2014 20:05:03 -0500

Claudiu,

Thanks for tackling this! I'm looking forward to trying the scripts out.
For now, here are some lua-isms that could help your code:

1. You're missing 'local string = require "string"' on all files, and the
same for "math" in ipmi.lua.

2. Instead of wrapping string.char for the c() function in ipmi.lua, you
can just assign: local c = string.char

3. Most of the use of the c() function can be replaced by literal strings.
For instance: table.concat({ c(0x13), c(0x37) }) is the same as "\x13\x37".
You can even reduce it farther (adding a little runtime complexity, though)
by using: bin.pack("H", "1337")

4. In general, bin.pack ought to replace your use of concatenation
(table.concat or the .. operator) in most cases. It can take an arbitrary
number of arguments, and literal strings can be included with the "A"
format specifier.

5. Use the "p", "P", and "a" format specifiers for length-prefixed strings
instead of the # operator and concatenation.

6. For bitwise flag checking, why not do: data["ipmi_compat_20"] =
bit.band(value, 0x10000000) instead of rshifting the value before bit.band
with 1?

7. You should replace stdnse.print_debug with the new stdnse.debug function
that Devin added recently (http://nmap.org/nsedoc/lib/stdnse.html#debug)
which automatically puts the script name into your output.

8. In ipmi-version, you use tables to hold possible multiple values for a
particular key, then join the values with commas when you assign them to
the key. A better way is to just assign the whole table to the key, because
that preserves the separate elements into the XML output. Example:

current XML: <elem key="UserAuth">password, md5, md2</elem>

New code:
local commasep = {__tostring = function(t) return table.concat(t, ", ") end}
setmetatable(UserAuth, commasep)
output["UserAuth"] = UserAuth

new XML: <table key="UserAuth"> <elem>password</elem> <elem>md5</elem>
<elem>md2</elem> </table>

Normal output will be unchanged (btw, your @output section doesn't have the
commas after the spaces)

9. Add an @xmloutput section to the scripts.

10. Does Nmap's service version detection handle this service very well? or
at all? Ideally, we will want a service version match for an existing
probe, but if we need to, we can probably come up with a new probe to
elicit a response. If the service will not give a response to an empty UDP
packet, then we should add something to nmap-payloads, too. Then your
portrule can be upgraded from shortport.portnumber to
shortport.port_or_service (or shortport.version_port_or_service for
ipmi-version, if the version detection probe doesn't get a good enough
response).

I hope this wasn't too overwhelming, but I think these improvements will
help you create better scripts in the future, too. A big part of NSE is
learning the Lua dialect, which includes all the API stuff and libraries
that we have available. In the end, it should save you some work over
trying to force plain Lua to do the job (case in point: bin.pack).

Dan





On Fri, Jul 18, 2014 at 2:50 PM, Claudiu Perta <claudiu.perta () gmail com>
wrote:

Hi devs,

As a follow-up to the last meeting with my mentor, I've been working on
porting some of the IPMI modules[1] from Metasploit to nmap. So far, I
implemented the protocol (ipmi.lua) and two scripts 'ipmi-version.nse', and
'ipmi-cipher-zero.nse': the first one does basic IPMI host information
discovery, while the second identifies the cipher-zero vulnerability in
IPMI 2.0 compatible systems.

I tested both scripts on OpenIPMI simulator (v1.0.13) and they seem to work
fine.

Cheers,
Claudiu

[1]

https://secwiki.org/w/Nmap/Script_Ideas#ipmi-version.2C_ipmi-cipher-zero.2C_ipmi-dump-hashes.2C_ipmi-user-brute_etc
.

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault