great book and small 6to4 conversion NSE script

[Henrik Lund Kramshøj <hlk () kramse dk>]

Hi There
- sent this e-mail to Fyodor, but he suggested mailing the list  
instead. I almost
feel embarassed for the silly script, but here goes nothing :-)

Hopefully the attached files make it through the ML software, if not  
copies of the three files
uploaded to: http://kramse.dk/files/tmp/nmap/


I received my Nmap book in hardcopy yesterday and browsed it a bit -  
NICE layout with a touch
of old-skool nerdish. Love it already :-)

Had a lot of fun playing with Nmap yesterday, trying to make a Lua  
version of a Perl script that
uses Net::DNS, didn't really work out but I made this small script for  
converting a 2002::/16 6to4 address
to get the IPv4 gateway address - silly and small, include if you  
wish :-)

Sample output, you can't really scan this address from outside my net,  
it was hardcoded as
an alias on one of my boxes:
hlk@bigfoot:dns$ sudo ../nmap-4.76/nmap -6 --script-trace --script  
ipv6-6to4-address.nse -v -p30-40 2002:d99d:3f71:cf0f::1

Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-29 15:23 CET
Initiating Ping Scan at 15:23
Scanning 2002:d99d:3f71:cf0f::1 [1 port]
Completed Ping Scan at 15:23, 0.00s elapsed (1 total hosts)
Initiating System DNS resolution of 1 host. at 15:23
Completed System DNS resolution of 1 host. at 15:23, 0.00s elapsed
Initiating Connect Scan at 15:23
Scanning 2002:d99d:3f71:cf0f::1 [11 ports]
Discovered open port 37/tcp on 2002:d99d:3f71:cf0f::1
Completed Connect Scan at 15:23, 0.01s elapsed (11 total ports)
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 15:23
NSOCK (0.0760s) nsock_loop() started (timeout=50ms). 0 events pending
NSOCK (0.0760s) nsock_loop() started (timeout=50ms). 0 events pending
Completed SCRIPT ENGINE at 15:23, 0.00s elapsed
Host 2002:d99d:3f71:cf0f::1 appears to be up ... good.
Interesting ports on 2002:d99d:3f71:cf0f::1:
PORT   STATE  SERVICE
30/tcp closed unknown
31/tcp closed msg-auth
32/tcp closed unknown
33/tcp closed dsp
34/tcp closed unknown
35/tcp closed priv-print
36/tcp closed unknown
37/tcp open   time
38/tcp closed rap
39/tcp closed unknown
40/tcp closed unknown

Host script results:
|  IPv6 6to4 gateway address:
|_  IPv4 receiving gateway: 217.157.63.113

Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds


The reason for getting this information is that this IPv4 address  
perhaps
doesn't have strict firewall filtering and there are also inherent  
problems
with 6to4 - spoofing of addresses etc. So highlighting this address  
seems nice.


The real script I wanted to write was another one, a port of a perl  
script.

I also attach the annoying perl script and my first try in converting  
it - using hardcoded
values for the packet. It is a nice way of getting the time from a  
nameserver,
by forcing it to return a signed packet, and taking the difference  
form localtime.

The hardcoded version sends exactly the same hex as the perl version,  
compared
using wireshark and output from nmap debug. What is missing is  
creating the
TSIG signatures and parsing the time_signed from the reply - I will  
put this on my
todolist and sharpen my skills using more simple Lua programs :-)


Best regards and a happy new year

Henrik



--
Henrik Lund Kramshøj, Follower of the Great Way of Unix
hlk () security6 net, +45 2026 6000 cand.scient CISSP CEH
http://www.security6.net - IPv6, sikkerhed, netværk
http://e-learning.security6.net - gratis kursusmateriale

Attachment: ipv6-6to4-address.nse
Description:

Attachment: dns-timecheck
Description:

Attachment: dns-tsig-timecheck.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org