Uniquely identifying an Nmap install from NSE?

[Ron <ron () skullsecurity net>]

Hi all,

I had a conversation with Ed Skoudis at Defcon, and he had a comment on 
some of my SMB scripts: one of his primary uses for these scripts is 
teaching, so he can have up to 40 people using the same scripts against 
the same target, and that won't work well with psexec-style scripts. Up 
till now, I've written the scripts from the perspective of how I'd use 
them: one person at a time. That doesn't work as well in the real world.

The issue is, some scripts (like smb-pwdump.nse) create a service on the 
remote host. I always use the same name for this service, since that 
makes it possible to clean up later if something fails. But, this 
creates a race condition where if two people run the same script, it'll 
fail for one or both of them.

So, the two obvious choices are:
1. Leave it the way it is, and accept that it's going to have a race 
condition
2. Randomize the name, making it difficult to clean up

Neither option is really good, so I'm looking at a third option: having 
some way to uniquely identify an Nmap install so it can use the same 
random service name every time it runs, without stepping on toes. The 
first two things that come to mind are a) using the local IP address, 
and b) using the local MAC address. Neither are perfect solutions, but 
they're pretty clean options. The biggest downside is, even if I use a 
hash of the local address, it would be pretty trivial to crack it and 
determine who created the service, so the attacker loses a big chunk of 
privacy.

Anybody else have any ideas?

Thanks
--
Ron Bowes
http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org