Nmap Development

Re: OS X 10.6 diagnosis: pcap timeout and bpf device access

Sat, 07 Nov 2009 21:00:04 GMT

Posted by David Fifield on Nov 07

I think it's because the release I made on 10.5 was compiled as a 32-bit
executable, and the default compiler target on 10.6 is 64-bit, but I
haven't tested that yet. We could, of course, build the next release as
32-bit, but that doesn't help the people who build from source unless we
make it automatic in the build system.

For what it's worth, I ran a copy of Nmap that I had built on 10.5 and
still had installed after upgrading to 10.6. It...

Re: OS X 10.6 diagnosis: pcap timeout and bpf device access

Sat, 07 Nov 2009 19:57:34 GMT

Posted by Walt Scrivens on Nov 07

David,
Thanks for sticking with this. You've done an impressive bit of
analysis work. Your explanation is so good that even I begin to
understand what's going wrong, although I suppose the chances of apple
ever doing anything about it are slim to none.

Since the problem doesn't happen in the released version 5, the
problems you've uncovered are specific to 5.05BETA-1. Do we know why
those changes were made, and what the impact of...

Re: Simple script: random (garbage) fuzzer

Sat, 07 Nov 2009 18:06:53 GMT

Posted by Jon Kibler on Nov 07

Fyodor wrote:

Re: Use case for this script?

I have not had a chance to look at this NSE script. However, random garbage
generators are a VERY useful testing tool, especially against embedded systems
(printers, VoIP phones, environmental sensors, etc.) and real-time systems
(SCADA, PLCs, DCS, security, HVAC, etc.). They very rapidly identify brittle IP
stacks and how well systems handle unexpected traffic.

I regularly use custom protocol...

OS X 10.6 diagnosis: pcap timeout and bpf device access

Sat, 07 Nov 2009 18:01:53 GMT

Posted by David Fifield on Nov 07

I have been looking into this problem, and I think I have found the
cause, or rather causes, both of which appear to be Apple bugs. The
first is that setting timeouts for read events doesn't work unless the
timeout is at least 1000 milliseconds. The second is that opening a
/dev/bpf? device in O_WRONLY mode and binding it to an interface causes
all other listeners on the interface to see only outgoing traffic. I
don't know of a nice quick fix for...

exclude targets

Sat, 07 Nov 2009 13:34:52 GMT

Posted by Si Stransky on Nov 07

My salutations to all nmap followers,

I have something going wrong with certain sorts of exclude targets..
see for example

$ nmap -sL -n --exclude 10.0-253.0.1 10.250-255.0.22
..
nmap: TargetGroup.cc:459: int
TargetGroup::get_next_host(sockaddr_storage*, size_t*): Assertion
`ipsleft == 1' failed.
Aborted

$ nmap -sL -n -q --exclude 10.10.250-255.22 10.10.250-255.0-255
..
pine: TargetGroup.cc:459: int...

Re: Simple script: random (garbage) fuzzer

Sat, 07 Nov 2009 12:24:21 GMT

Posted by Ron on Nov 07

Fyodor wrote:

No, I'm doing a class right now and the instructor mentioned it. His
case was primarily finding low-hanging fruit services on certain systems.

It might be need to write fuzzers for specific protocols, too. HTTP
fuzzer, SMB fuzzer, etc etc. That's something I hadn't really thought of
using NSE for before.

Sure, any suggestions on how long it should go for?

Most services do terminate the connection pretty fast when they receive...

Zenmap fails to start.

Sat, 07 Nov 2009 09:33:37 GMT

Posted by AFH Security on Nov 07

Hey guys,

Running Ubuntu 9.10 Karmic Koala, on an amd64 system arch.
When I try to run zenmap (I wanted to see the new filter list button
that was mentioned in the change log) I get the following error.

"[Errno 2] No such file or directory: '/usr/share/zenmap/config'"

I searched my comp, and the zenmap dir is located at
"/usr/local/share/zenmap"
Any idea on what I'm doing wrong?

The steps I took to compile were the...

Support for IPv6 name servers in nmap

Sat, 07 Nov 2009 07:25:30 GMT

Posted by Ankur Nandwani on Nov 06

Hey Guys,

I just wrote a patch for Nmap's parallel DNS resolver which allows it
to make use of IPv6 name servers. David has committed the patch in
r16016. Please test it and let me know if there are any issues.

Thanks
Ankur

Re: Simple script: random (garbage) fuzzer

Sat, 07 Nov 2009 07:16:22 GMT

Posted by Fyodor on Nov 06

Nice. Did they request it on a public forum somewhere that you can
link to? It would be interesting to know more about the use case they
have in mind.

Maybe it should include a stopafter limit by default? That way it
doesn't go forever for people who acidentally specify it (perhaps
among other scripts) without specifying the stopafter arg.

Also, you might want to make this output line more clear:
return false, string.format("Finished...

Re: Ron/fuzz-garbage script

Sat, 07 Nov 2009 03:13:03 GMT

Posted by Ron on Nov 06

Hi mike,

You're right about the chunksize -- the way I designed it, it only sends
in 'chunksize' blocks, so the 'stopafter' value is rounded up (I put
that in the NSEDoc at the top). It's the cleanest way to do it, I think.

Can you link to where you reported that error? I don't remember anything
about it, but it may be from before my time (or in a thread I didn't read)

Thanks!
Ron

mike wrote:

Ron/fuzz-garbage script

Sat, 07 Nov 2009 01:04:01 GMT

Posted by mike on Nov 06

Ron

not sure if this is a windows thing or not. i noticed the output after i tested it and i set the args value for
"stopafter" to just 10 bytes. the output from nmap reports this as "10 bytes sent" howver i noticed that what was sent
to the socket in testing was the 1024 bytes default value. seting the chunksize is apparently the only way i can
control the bytes to be the exact value that nmap reports back as what was...

Re: man page translations

Sat, 07 Nov 2009 00:15:43 GMT

Posted by Fyodor on Nov 06

I'm all for that!

That concerned me at first because most people will want at most 1 or
2 languages, and we already have 16 with more coming. But the
instructions later in your email may be the best way for such people
to proceed.

I have those directories, but even the largest of them is less than
10% the size of my English man pages.

This sounds like a good way for people who don't want the extra man
pages to deal with it. As you note, it...

Implementation sketch for Ncat caretaker processes

Fri, 06 Nov 2009 22:47:40 GMT

Posted by David Fifield on Nov 06

Look at the netrun function in ncat_posix.c. It forks to create a new
process, then calls netexec. netexec reassigns some file descriptors,
then runs execl to run a new process with the changed descriptors. When
the new process reads and writes stdin and stdout, it is really reading
and writing the socket.

What I was thinking of is that netexec can first create a pair of pipes
(...

Re: nmap XML output - host latency

Fri, 06 Nov 2009 21:02:35 GMT

Posted by David Fifield on Nov 06

We already have an element for latency, but it seems it is not written
for ping scans. "nmap -oX - -F scanme.nmap.org" prints

<times srtt="68616" rttvar="20892" to="152184" />

but "nmap -oX - -sP scanme.nmap.org" doesn't print it. I think this is
just an oversight because there are two separate places where host
output can be written depending on whether anything happens past a ping
scan....

Re: Ron/fuzz-garbage script

Fri, 06 Nov 2009 19:59:38 GMT

Posted by Ron on Nov 06

Hi Mike,

It shouldn't freeze Nmap, but it could be an issue with how the Windows
version of Nmap handles sockets. All it's doing it looping and sending
data. My solution would be to not run Nmap on Windows, but that's just me ;)

As for different chunksizes, the functionality already exists. There are
two script-args, one for the total amount of data to send (default:
unlimited), and one for the size of the chunks (default: 1024).

Ron

mike...