Re: NMAP NSE script for iSCSI enumeration

[Fyodor <fyodor () insecure org>]

On Sat, Oct 10, 2009 at 01:54:10PM -0400, Michel Chamberland wrote:
> I wrote a nmap nse script to enumerate iSCSI targets. I would be
> interested to get feedback on it.
>
> The script can be found here:
>
> http://blog.securitywire.com/2009/10/10/nmap-nse-script-to-enumerate-iscsi-targets/
>
> I have very limited access to iSCSI targets so I'd be really interested
> to hear how it works out across a variety of targets.

Thanks Michael!  I hope people try it out and send feedback, as this
sounds like a useful script for integration into Nmap.  Please send us
(nmap-dev) another mail when you feel it is ready for that.

Unfortunately I don't have any iSCSI devices to test, and I only have
time for a quick glance at the script right now.  One thing that
stands out is that most of the lines in the script are of this form:

  table.insert(t1, string.char(0x6c, 0x6d, 0x00, 0x53, 0x65, 0x73, 0x73, 0x69)); 
  table.insert(t1, string.char(0x6f, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x3d, 0x44)); 
  table.insert(t1, string.char(0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79)); 
  table.insert(t1, string.char(0x00, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x44)); 
  table.insert(t1, string.char(0x69, 0x67, 0x65, 0x73, 0x74, 0x3d, 0x4e, 0x6f)); 
  table.insert(t1, string.char(0x6e, 0x65, 0x00, 0x44, 0x61, 0x74, 0x61, 0x44)); 
  table.insert(t1, string.char(0x69, 0x67, 0x65, 0x73, 0x74, 0x3d, 0x4e, 0x6f)); 

That raises two issues:

1) It would be great to comment these hex dumps to explain more about
   what they are doing.  It is a lot harder to
   maintain/improve/understand scripts when we don't understand what
   the requests are doing.  Also, how did you generate them?  If you
   aren't so familiar with the protocol yourself, one thing which can
   help is running Wireshark while you make the requests.  That often
   explains the various fields and types which can then be added as
   comments to the script.

2) I'm not sure that this approach of table.insert followed by a
   .concat into a string is an efficient or desirable way to fill out
   the request payload.  You might have gotten this approach from
   sslv2.nse, but that is an ancient script and I'm not sure that it
   serves as a good example in this respect.  Perhaps the approach
   shown in this dns-random-srcport.nse snippet is better:

   local query =   string.char(0xbe, 0xef, -- TXID
                               0x01, 0x00, -- Flags
                               0x00, 0x01, -- Questions
                               0x00, 0x00, -- Answer RRs
                               0x00, 0x00, -- Authority RRs
                               0x00, 0x00, -- Additional RRs
                               0x08) .. "porttest" ..
                   string.char(0x08) .. "dns-oarc" ..
                   string.char(0x03) .. "net" ..
                   string.char(0x00, -- Name terminator
                               0x00, 0x10, -- Type (TXT)
                               0x00, 0x01) -- Class (IN)

Another option is bin.pack (http://nmap.org/nsedoc/lib/bin.html).

> I have about 2 hours of experience with lua too so I'm sure it shows
> :)

It looks like a good first script to me!

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org