Re: adding this option?

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 15 Jan 2008 20:03:51 +0000
"Eddie Bell" <ejlbell () gmail com> wrote:

> Hey guys, would something like this be useful?
>
> bash> cat commands
> SSH-1.0-test_2.0
>
> bash> ./nmap -sT -p22 localhost --script=./scripts/payloadInject.nse
> --script-args port=22,file=./commands
>
> PORT   STATE SERVICE REASON
> 22/tcp open  ssh     syn-ack
> |  payload-inject:
> |  53 53 48 2d 32 2e 30 2d  4f 70 65 6e 53 53 48 5f
> SSH-2.0-OpenSSH_ |  34 2e 36 70 31 20 44 65  62 69 61 6e 2d 35 75
> 62   4.6p1 Debian-5ub |  75 6e 74 75 30 2e 31 0a  50 72 6f 74 6f 63
> 6f 6c     untu0.1.Protocol |  20 6d 61 6a 6f 72 20 76   65 72 73 69
> 6f 6e 73 20   major versions |_64 69 66 66 65 72 2e
> 0a                                            differ..
>
> It reads a file, sends the content to a remote service (user defined
> through --script-args) and displays the results in hex and ascii. It's
> not ready for production yet but I hope you get the general idea. If
> it is something people want  I'll finish it off.
>
> cheers
> - eddie

Hi Eddie.  I like how you've implemented this as an NSE script rather
than mucking with other things.  The script _is_ useful but provides
about the same thing that can be accomplished with a custom
service probe and --version-trace.

In order to make this script really worth it, I think it would need to
contain multiple commands like so:

# Send everything between the opening { and closing }
payload[0] {
\x01\x02\x03\x04hello
btw, escape closing any closing \} with \\.\x00
}

# If some response is received, send next command
payload[1] {
send more crap\n\r\x00
}

Sending multiple payloads might be too much work for a generic NSE
script for only marginal gain.  If that is the case, do we need a single
payload-inject which is only marginal gain over netcat/-sV/custom NSE
script/etc?

One script that would be really neat would be a -sV implementing NSE
script.  That is, I could give the script a service probe file and it
would send the probes to the ports and run them through PCRE.  I really
hate mucking with nmap-service-probes when I'm testing a one-off
probe/match.  Arbitrary limitations could be put on on the custom probe
file like only one probe and match or one probe, many matches, etc.

This too would be a lot of work though for only marginal gain.

Brandon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHjRq4qaGPzAsl94IRAkGRAJwMxTDub29whEJfUkCyYGkJ1NzxFQCfc0tU
obam/R5V24IRMmevPz7ysIU=
=GXgL
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org