Nmap Development mailing list archives
Re: general scanning engine - beta release
From: Fyodor <fyodor () insecure org>
Date: Tue, 1 Aug 2006 23:49:24 -0700
On Tue, Jul 25, 2006 at 10:35:18AM +0200, majek04 wrote:
The same is this time, though I would like to hear your opinion about it :) (And I think you could have fun playing with this patch) http://ai.pjwstk.edu.pl/~majek/private/nmap/nmap-4.20A4-gse-beta1.diff
Hi Marek! I will welcome eliminating the current FTP bounce code, which is quite crappy. I'm also looking forward to the new proxy chaining support and the support for so many application protocols. The patch applied cleanly (to 4.20A4) for me. The bad news is that it didn't compile. The good news is that the fix was trivial. Here are the error messages: gse.h:206: error: extra qualification ‘GSEConnection::’ on member ‘chain_built’ gse.h:207: error: extra qualification ‘GSEConnection::’ on member ‘query_nexthop’ gse.h:208: error: extra qualification ‘GSEConnection::’ on member ‘jump_nexthop’gse.h:211: error: extra qualification ‘GSEConnection::’ on member ‘get_state’ gse.h:212: error: extra qualification ‘GSEConnection::’ on member ‘querynewport’gse.h:213: error: extra qualification ‘GSEConnection::’ on member ‘getportstatus scan_engine.cc:3805: error: extra qualification ‘GSEScanner_Engine::’ on member ‘handle_result’ scan_engine.cc:3810: error: extra qualification ‘GSEScanner_Engine::’ on member ‘handle_alive’ Removing those redundant qualifiers seemed to solve the problem on my Fedora Core 5 Linux installation. Speaking of portability, have you tested this on Windows? That needs to be done before it is applied. Also, have you tested w/IPv6? The IMAP scanning is clever and shows the versatility of the system. But I would lean toward eliminating it for the final version. It sounds like it only works with one IMAP server, if you have proper authentication credentials, and when SSL is used (which the system doesn't support directly). So it may be so obscure that it is virtually never used. In that case, it might fit better as an outside patch for people who need that specific functionality. Speaing of protocol support, I noticed that SOCKS5 isn't on the list. I'm not arguing that it should be, just wondering why it isn't. I can think of several possible reasons but am not certain of them. Have you reviewed the changes carefully for security risks, such as buffer overflows, printing unsafe terminal characters, format string bugs, etc.? Nmap has a perfect record of avoiding security bugs, which is a feature I want to keep! Instead of the -x option, I think we should find an -sL option (where L is a capital letter) like the other scan types. I know bounce scan used -b, but that is only because it predates the -s? standardization. We can't use -sP (Proxy) or -sA (Application proxy) because they are already taken. In fact, the first available letter in PROXY is Y, so -sY is an option. -sC for chaining scan might be good, but Diman is using that for his upcoming script scan. Hm, -sB for "bounce scan" is still available. This scan really does involve bouncing off other application protocols, so I don't think that name has to be limited to FTP. So I think -sB would be my vote, but I'm open to alternatives. The system could definitely use more documentation. Would you include a patch to the man page for the next version? It should specify the syntax, the different supported protocols and idiosyncracies of each, interaction with --max-parallelism, etc. Man page patches should always be against the man page XML in docs/nmap-man.xml of the relevant distribution). A more detailed text or html (or DocBook XML) tutorial write-up might be useful as well. One thing which would be welcome are LUA scripts (using Diman's new system) for finding open http/ftp proxies for usage with the system. I had to write some ugly hack scripts this afternoon for finding ftp bounce proxies, but a LUA scrpt would be much more elegant. Could you work on those (after or before your next patch release)? My first try using the system was an FTP bounce attack, using the command: nmap -x ftp://A.B.C.D -p 1-100 -v -oA logs/bounceme1-gse scanme.nmap.org It gave me a (useful) error message complaining that the format was wrong. Apparently the port number is required. I think it should have a default for each protocol, like web browsers do. The default for FTP would obviously be 21. Anyway, I then added the port number and away it went:
nmap -x ftp://A.B.C.D:21 -p 1-100 -v -oA logs/bounceme1-gse scanme.nmap.org
You selected chain:ftpbounce://A.B.C.D:21 WARNING: Many people use -P0 w/Proxyscan to prevent pings from their true IP. WARNING: Resolving hostnames on remote site is not supported by proxyscan. Target hostnames will be resolved LOCALLY. Use '-n' to suppress this warning. Hint: you can use '--max-parallelism' option to increase proxyscan speed Starting Nmap 4.20ALPHA4 ( http://www.insecure.org/nmap/ ) at 2006-08-01 23:00 PDT Initiating Parallel DNS resolution at 23:00 Completed Parallel DNS resolution at 23:00, 0.00s elapsed Initiating System CNAME DNS resolution at 23:00 Completed System CNAME DNS resolution at 23:00, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. WARNING: user/pass not specifid for ftp-bounce, using anonymous:-wwwuser@ Discovered open port 53/tcp on 205.217.153.62 ERROR: #0: (hop ftpbounce://A.B.C.D:21-> target ) is gateway_error:(hop A.B.C.D:21) connection timeouted QUITTING! As you can see, it crashed after finding one of the ports (53) open. It gives a timeout error and quites. I'm guessing the timeout was beause it was scanning a filtered port on scanme.nmap.org. It should detect this sort of thing and treat it as a filtered port. If you want the FTP server IP to test against, let me know. Though you should probably test against some different servers too. The messages it prints are mostly good, but I think it could stand to be slightly less verbose (even though I used verbose mode). I would remove the "Resolving hostnames on remote site is not supported", "Hint: you can use '--max-parallelism'", and "WARNING: user/pass not specifid for ftp-bounce, using anonymous:-wwwuser@" lines. Or just make them require (o.verbosity > 1 || o.debugging). This sort of information should be in the man page though. Thats all I have for now. I'm definitely looking forward to the 2nd revision! This will be a lot better than the current -b scan! Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Re: general scanning engine - request for comments :), (continued)
- Re: general scanning engine - request for comments :) Fyodor (Jul 15)
- Re: general scanning engine - request for comments :) majek04 (Jul 16)
- Re: general scanning engine - request for comments :) Fyodor (Jul 15)
- Re: general scanning engine - request for comments :) Fyodor (Jul 15)
- Re: general scanning engine - request for comments :) Fyodor (Jul 14)
- Re: general scanning engine - request for comments :) majek04 (Jul 14)
- Re: general scanning engine - request for comments :) Fyodor (Jul 15)
- Re: general scanning engine - beta release majek04 (Jul 25)
- Re: general scanning engine - beta release majek04 (Jul 25)
- Re: general scanning engine - beta release Fyodor (Aug 01)
- Re: general scanning engine - beta release Fyodor (Aug 01)
- Re: general scanning engine - request for comments :) majek04 (Jul 14)