Re: Scripting NMAP -> or maybe NSE?"

[Brandon Enright <bmenrigh () ucsd edu>]

On Mon, 26 Feb 2007 17:34:34 -0500
Jess <jess () thecharbneaus com> wrote:

> Hello,
>   Reposting this in the nmap-dev list per suggestion from Fyodor.
>
> I wrote a perl script several years ago that would catalog all of the
> open ports on our network (the network I worked on at the time).  I was
> perusing my code recently, and noticed that I had originally built this
> to run as root. With the newer operating systems, specifically the Linux
> distro's, most are using sudo.  So I was looking through the mailing list
> archives at insecure.org, and noticed that there is now a NSE.
>
> The overall idea of this app is to run daily, and catalog all of the open
> ports, then run the next day and compare the results.  Kind of like a
> AIDE for the network.
>
> So, I guess I have two questions:
>
> 1.> Is sudo safe for this?  I would like to run my scripts (I am
> rewriting now) as monitor, but make a call to nmap to get port
> information for the current host in the scan.  Is sudo a good method?
> Any suggestions around the best way to implement this?  It seems I have
> read articles/man pages saying that sudo is not so good as it "remembers"
> the credentials for a given user. Thoughts?
>
> 2.> NSE.  Is this better/worse for scripting of nmap?   Pros/Cons?
>
> Thanks Everyone!
>
> Jess

I'm assuming if you are trying to do this in a script sudo will be
passwordless.  Give "sudo nmap --interactive" and then "!/bin/bash" a try
and you'll probably decide you don't want to go the sudo way.

One of the more common Unix ways to run a binary securly as root in a
script or for unprivileged users is to make a small (compiled) program that
understands a few preset command line options and is SUID'd to root.

Something like this pseudo C here:

/* Run Nmap securely as root */

#include <stdlib.h>
#include <stdio.h>

int main (...) {

   /* whatever needs to be here */

   if (arg1 == "quick") {
      system("nmap -T5 -v ... -oA default_file <preset ips>");
   }
   else if (arg1 == "everything") {
      system("nmap -sV -O2 -v -p- -T4 ... -oA default_file <preset ips>");
   }
   else if { /* you get the idea */ }

   /* More of whatever needs to be here */

}


Then you would compile your program and do a "chmod +s root_nmap".  If you
wanted root_nmap to be able to actually take IPs rather than have preset
scans you'll need to be EXTRA careful that you don't allow anything other
than IPs.

I bet more than one person on this list has a nice little nmap root wrapper
that understand presets or a very limited set of options and would be
willing to share.

Brandon

-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh () ucsd edu


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org