Nmap Development mailing list archives
Re: NSE issue with shortport
From: "Eddie Bell" <ejlbell () gmail com>
Date: Wed, 14 Nov 2007 19:46:14 +0000
Looks like portnumber() doesn't have support for that form of construct if (port.protocol == proto and port.state == state) Which will never be true as port.state is a string and state is a table. I've attached a patch, could you try it out? - eddie On 13/11/2007, Thomas Buchanan <TBuchanan () thecompassgrp net> wrote:
I was doing some testing with 4.23RC1 today, and I noticed an issue with NSE matching rules for a couple of scripts that use the shortport.portnumber library routine for portrule. The rule doesn't seem to match, even if the port is correctly detected as open. For example: I'm scanning a system with SNMP enabled, so I used the SNMPsysdesr.nse script to see what information I could get out of it. # nmap -sU --script=SNMPsysdesr.nse --script-trace -d -p 161 192.168.xxx.yyy Starting Nmap 4.23RC1 ( http://insecure.org ) at 2007-11-13 16:21 CST <snip output> SCRIPT ENGINE: Initiating script scanning. SCRIPT ENGINE: Script scanning . SCRIPT ENGINE: Using /home/tbuchanan/apps/libexec/nmap/nse/?.so;./?.so;/usr/local/lib/lua/5.1 /?.so;/usr/local/lib/lua/5.1/loadall.so to search for C-modules and /home/tbuchanan/apps/share/nmap/nselib/?.lua;./?.lua;/usr/local/share/lu a/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/lib/lua/5.1/? .lua;/usr/local/lib/lua/5.1/?/init.lua for Lua-modules SCRIPT ENGINE: Initialized 1 rules SCRIPT ENGINE: Matching rules. SCRIPT ENGINE: Running scripts. SCRIPT ENGINE: Script scanning completed. Host 192.168.xxx.yyy appears to be up ... good. Interesting ports on 192.168.xxx.yyy: PORT STATE SERVICE REASON 161/udp open|filtered snmp no-response Final times for host: srtt: 1739 rttvar: 5000 to: 100000 ... The relevant portrule section from SNMPsysdesr.nse: require "shortport" portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"}) I'm not exactly sure how this shortport rule works, but it looks to me like this should trigger a match on the system I scanned. I looked at the definition of the portnumber function in the shortport.lua file, but nothing obvious jumped out at me. If I go back to a older copy of the script, with the long, explicit definition of the portrule, it works fine: # nmap -sU --script=SNMPv1.nse --script-trace -d -p 161 192.168.xxx.yyy Starting Nmap 4.23RC1 ( http://insecure.org ) at 2007-11-13 16:22 CST <snip> SCRIPT ENGINE: Initiating script scanning. SCRIPT ENGINE: Script scanning . SCRIPT ENGINE: Using /home/tbuchanan/apps/libexec/nmap/nse/?.so;./?.so;/usr/local/lib/lua/5.1 /?.so;/usr/local/lib/lua/5.1/loadall.so to search for C-modules and /home/tbuchanan/apps/share/nmap/nselib/?.lua;./?.lua;/usr/local/share/lu a/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/lib/lua/5.1/? .lua;/usr/local/lib/lua/5.1/?/init.lua for Lua-modules SCRIPT ENGINE: Initialized 1 rules SCRIPT ENGINE: Matching rules. SCRIPT ENGINE: Will run /home/tbuchanan/apps/share/nmap/scripts/SNMPv1.nse against 192.168.xxx.yyy:161 SCRIPT ENGINE: Running scripts. SCRIPT ENGINE: Runlevel: 1.000000 Initiating SCRIPT ENGINE at 16:22 <snip debug output> SCRIPT ENGINE: Script scanning completed. Host 192.168.xxx.yyy appears to be up ... good. Interesting ports on 192.168.xxx.yyy: PORT STATE SERVICE REASON 161/udp open snmp no-response | SNMPv1: .Hardware: x86 Family 15 Model 2 Stepping 8 AT/AT COMPATIBLE - Software: Windows NT Version 4.0 (Build Number: 1381 Uniprocessor Free ) | System uptime: 5 days, 20:5:21.24 (50432124 timeticks) | System name: NT4SERVER-SP2 | System location: Test lab |_ System contact: <snip> This same issue also shows up in MSSQLm.nse. Any ideas? I have the full output of the scans if any more information is required. Thanks, Thomas _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Attachment:
short.patch.gz
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- NSE issue with shortport Thomas Buchanan (Nov 13)
- Re: NSE issue with shortport Eddie Bell (Nov 14)
- RE: NSE issue with shortport Thomas Buchanan (Nov 14)
- Re: NSE issue with shortport Eddie Bell (Nov 14)
- RE: NSE issue with shortport Thomas Buchanan (Nov 14)
- <Possible follow-ups>
- RE: NSE issue with shortport Matthew Boyle (Nov 15)
- Re: NSE issue with shortport Fyodor (Nov 15)
- RE: NSE issue with shortport Thomas Buchanan (Nov 15)
- RE: NSE issue with shortport Thomas Buchanan (Nov 15)
- Re: NSE issue with shortport Fyodor (Nov 15)
- RE: NSE issue with shortport Thomas Buchanan (Nov 15)
- Re: NSE issue with shortport Fyodor (Nov 15)
- Re: NSE issue with shortport Eddie Bell (Nov 14)