Hi,
me and a friend have partially written vulnerability scanning
functionality into nmap, and wanted to know if anyone was interested in
working on this project with me. When its completed, I'd like to make it
part of nmap. The config file parser is complete, and the main function
is complete. There is a lot of work (mostly socket stuff) that needs to
be done. It uses the standard nmap stuct's and functions. The code is
located at www.mobis.com/ajax/code/nmap and is called vulnscan.c,
vulnscan.h and nmap.c.diff which is in unified diff format of the changes
which where made to nmap.c ...
The config file (exploit.dat), represents a configurable database of
what to look for and classify as vulnerable, based on operating system.
This was created so when new exploits are discovered, rather than
manually writing C code for each new exploit, you define an entry in the
config file on what to look for and how to look for it. It uses the
tcp fingerprinting function (-O). The structure of the config file is like
so:
/* Format of exploit.dat:
*
OSTYPE,PORT,PROT,PROT_FLAGS,SEND_DATA,WAIT_DATA,SEND_DATA,WAIT_DATA,COMMENT
*
* Definitions:
*
OSTYPE=LINUX,FREEBSD,AIX,BSDI21,BSDI30,BSDI40,OSF1,HPJETDIRECT,HPUX,IRIX
*
NETBSD,NEXT,OPENBSD,SCO,UNIXWARE,SOLARIS24,SOLARIS25,SOLARIS26,
* ULTRIX,WIN32,WINNT5,OPENVMS,VMS,UNKNOWN,ALL
* PORT=[0-65536]
* PROT=TCP,UDP
* PROT_FLAGS=U,S,A,P,R,F,1,2
*
URG,SYN,ACK,PUSH,RST,FIN,UNUSED_FLAG1(0x40),UNUSED_FLAG2(0x80)
* SEND_DATA=data to send at beginning of connection
* WAIT_DATA=data to expect to recieve to compare if vulnerable
* SEND_DATA=data to send (if null just use ',')
* WAIT_DATA=data to expect (if null ',')
* COMMENTS=comments to log if vulnerable
*/
Regards,
Ajax (ajax_at_mobis.com)
Received on Dec 28 1998
Intro
