Nmap Development mailing list archives
Re: In nmap is this possible?
From: "ithilgore.ryu.L () gmail com" <ithilgore.ryu.l () gmail com>
Date: Mon, 25 Aug 2008 15:14:04 -0700
mike wrote:
Hello again guys...Can this be done in nmap---specify EXACT bytes when using --data-length option, as opposed to it being just random ones? I understand we have scripting ability and service probes, but what about when someone wants to simply mucky about with data bytes/strings they think might work on a given service? Does anyone else think we should be able to set --data-length to a variable of what we want for bytes being specified by the user? Say i wanna just sweep an ip list i have and check for RIP responses and i have no script or service probe available for it but i can hex out a quick 21 byte request to get the job done. If nmap gave me the ability to set my own bytes (size and data) i then can crudely come up with a quick way of getting what i need by sending the exact data i want. Do we agree this is quite useful here and easy to implement? Again, simply setting --data-length option to instead of RANDOM as it is now, ANYTHING THE USER SPECIFIES. an example would be if you ran nmap in windows using type (string/file data to inject) then | and the nmap command and it's flags. you could basically scan multiple hosts as you are, at the same time, injecting your request out. The only thing needed on your end would be a packet sniffer, since nmap would not have a way to handle the raw data coming back. Again, this idea would be for testing/probing purposes when you have your OWN data you wish to send ThanksM|ke _________________________________________________________________ Get thousands of games on your PC, your mobile phone, and the web with Windows®. http://clk.atdmt.com/MRT/go/108588800/direct/01/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
I wrote a patch that does what you want :It defines a new long option called --payload which takes as an argument the name of the file which contains the data/payload which will be included in each probe. If --payload is not defined and --data-length is, then --data-length does what it used to do before (it adds a random buffer to the end of the packet, for as many bytes as the user defines in the argument). Thus, existing functionality is not broken. If --payload is defined and --data-length is defined too, then Nmap will read from the payload file as many bytes as --data-length argument defines. If --payload is defined and --data-length is *not* defined, then the payload file is read until EOF is returned or until 1024 bytes have been read, whichever comes first.
I don't know if defining a new option this way, is the best course of action (since i believe that NSE will probably support more flexible functionality with payloads).
Nevertheless enjoy. -- ithilgore
*** _nmap.cc Mon Aug 25 12:42:38 2008
--- nmap.cc Mon Aug 25 14:34:21 2008
***************
*** 210,215 ****
--- 210,232 ----
return 1;
}
+ static void read_payload(FILE *payloadfd) {
+ int i = 0, ch;
+
+ /* if user has defined --data-length, then we read that much from the file */
+ if (!o.extra_payload_length) {
+ o.extra_payload = (char *) safe_malloc(sizeof(char) * 1024);
+ o.extra_payload_length = 1024;
+ }
+
+ while ((ch = fgetc(payloadfd)) != EOF && i < o.extra_payload_length)
+ o.extra_payload[i++] = ch;
+
+ o.extra_payload_length = i;
+
+ fclose(payloadfd);
+ }
+
static void printusage(char *name, int rc) {
printf("%s %s ( %s )\n"
***************
*** 504,509 ****
--- 521,527 ----
long l;
unsigned int targetno;
FILE *inputfd = NULL, *excludefd = NULL;
+ FILE *payloadfd = NULL;
char *host_spec = NULL, *exclude_spec = NULL;
short randomize=1;
short quashargv = 0;
***************
*** 619,625 ****
{"packet-trace", no_argument, 0, 0}, /* Display all packets sent/rcv */
{"version_trace", no_argument, 0, 0}, /* Display -sV related activity */
{"version-trace", no_argument, 0, 0}, /* Display -sV related activity */
! {"data_length", required_argument, 0, 0},
{"data-length", required_argument, 0, 0},
{"send_eth", no_argument, 0, 0},
{"send-eth", no_argument, 0, 0},
--- 637,644 ----
{"packet-trace", no_argument, 0, 0}, /* Display all packets sent/rcv */
{"version_trace", no_argument, 0, 0}, /* Display -sV related activity */
{"version-trace", no_argument, 0, 0}, /* Display -sV related activity */
! {"payload", required_argument, 0, 0}, /* extra payload */
! {"data_length", required_argument, 0, 0}, /* length of extra payload */
{"data-length", required_argument, 0, 0},
{"send_eth", no_argument, 0, 0},
{"send-eth", no_argument, 0, 0},
***************
*** 838,850 ****
} else if (optcmp(long_options[option_index].name, "version-trace") == 0) {
o.setVersionTrace(true);
o.debugging++;
} else if (optcmp(long_options[option_index].name, "data-length") == 0) {
o.extra_payload_length = atoi(optarg);
if (o.extra_payload_length < 0) {
fatal("data-length must be greater than 0");
} else if (o.extra_payload_length > 0) {
o.extra_payload = (char *) safe_malloc(o.extra_payload_length);
! get_random_bytes(o.extra_payload, o.extra_payload_length);
}
} else if (optcmp(long_options[option_index].name, "send-eth") == 0) {
o.sendpref = PACKET_SEND_ETH_STRONG;
--- 857,875 ----
} else if (optcmp(long_options[option_index].name, "version-trace") == 0) {
o.setVersionTrace(true);
o.debugging++;
+ } else if (optcmp(long_options[option_index].name, "payload") == 0) {
+ o.payload_from_file = true;
+ payloadfd = fopen(optarg, "r");
+ if (!payloadfd)
+ fatal("Failed to open payload file %s for reading", optarg);
} else if (optcmp(long_options[option_index].name, "data-length") == 0) {
o.extra_payload_length = atoi(optarg);
if (o.extra_payload_length < 0) {
fatal("data-length must be greater than 0");
} else if (o.extra_payload_length > 0) {
o.extra_payload = (char *) safe_malloc(o.extra_payload_length);
! if (!o.payload_from_file)
! get_random_bytes(o.extra_payload, o.extra_payload_length);
}
} else if (optcmp(long_options[option_index].name, "send-eth") == 0) {
o.sendpref = PACKET_SEND_ETH_STRONG;
***************
*** 1272,1277 ****
--- 1297,1305 ----
validate_scan_lists(ports,o);
o.ValidateOptions();
+ if (o.payload_from_file)
+ read_payload(payloadfd);
+
// print ip options
if((o.debugging || o.packetTrace()) && o.ipoptionslen){
char buf[256]; // 256 > 5*40
*** _NmapOps.h Mon Aug 25 12:57:29 2008
--- NmapOps.h Mon Aug 25 13:45:14 2008
***************
*** 197,202 ****
--- 197,203 ----
int min_parallelism; // 0 means it has not been set
double topportlevel; // -1 means it has not been set
+
/* The maximum number of OS detection (gen2) tries we will make
without any matches before giving up on a host. We may well give
up after fewer tries anyway, particularly if the target isn't
***************
*** 246,251 ****
--- 247,254 ----
// many IPs to try before stopping. 0 means unlimited.
int extra_payload_length; /* These two are for --data-length op */
char *extra_payload;
+ bool payload_from_file; /* if true, payload comes from file, else it's random */
+
unsigned long host_timeout;
/* Delay between probes, in milliseconds */
unsigned int scan_delay;
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- In nmap is this possible? mike (Aug 23)
- Re: In nmap is this possible? ithilgore.ryu.L () gmail com (Aug 25)
- Re: In nmap is this possible? Michael Pattrick (Aug 25)
- Re: In nmap is this possible? Fyodor (Aug 29)
- Re: In nmap is this possible? Michael Pattrick (Aug 31)
- Re: In nmap is this possible? Michael Pattrick (Aug 25)
- Re: In nmap is this possible? ithilgore.ryu.L () gmail com (Aug 25)