Nmap Development mailing list archives
Re: NMAP NSE script for iSCSI enumeration
From: Fyodor <fyodor () insecure org>
Date: Sat, 10 Oct 2009 16:48:25 -0700
On Sat, Oct 10, 2009 at 01:54:10PM -0400, Michel Chamberland wrote:
I wrote a nmap nse script to enumerate iSCSI targets. I would be interested to get feedback on it. The script can be found here: http://blog.securitywire.com/2009/10/10/nmap-nse-script-to-enumerate-iscsi-targets/ I have very limited access to iSCSI targets so I'd be really interested to hear how it works out across a variety of targets.
Thanks Michael! I hope people try it out and send feedback, as this sounds like a useful script for integration into Nmap. Please send us (nmap-dev) another mail when you feel it is ready for that. Unfortunately I don't have any iSCSI devices to test, and I only have time for a quick glance at the script right now. One thing that stands out is that most of the lines in the script are of this form: table.insert(t1, string.char(0x6c, 0x6d, 0x00, 0x53, 0x65, 0x73, 0x73, 0x69)); table.insert(t1, string.char(0x6f, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x3d, 0x44)); table.insert(t1, string.char(0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79)); table.insert(t1, string.char(0x00, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x44)); table.insert(t1, string.char(0x69, 0x67, 0x65, 0x73, 0x74, 0x3d, 0x4e, 0x6f)); table.insert(t1, string.char(0x6e, 0x65, 0x00, 0x44, 0x61, 0x74, 0x61, 0x44)); table.insert(t1, string.char(0x69, 0x67, 0x65, 0x73, 0x74, 0x3d, 0x4e, 0x6f)); That raises two issues: 1) It would be great to comment these hex dumps to explain more about what they are doing. It is a lot harder to maintain/improve/understand scripts when we don't understand what the requests are doing. Also, how did you generate them? If you aren't so familiar with the protocol yourself, one thing which can help is running Wireshark while you make the requests. That often explains the various fields and types which can then be added as comments to the script. 2) I'm not sure that this approach of table.insert followed by a .concat into a string is an efficient or desirable way to fill out the request payload. You might have gotten this approach from sslv2.nse, but that is an ancient script and I'm not sure that it serves as a good example in this respect. Perhaps the approach shown in this dns-random-srcport.nse snippet is better: local query = string.char(0xbe, 0xef, -- TXID 0x01, 0x00, -- Flags 0x00, 0x01, -- Questions 0x00, 0x00, -- Answer RRs 0x00, 0x00, -- Authority RRs 0x00, 0x00, -- Additional RRs 0x08) .. "porttest" .. string.char(0x08) .. "dns-oarc" .. string.char(0x03) .. "net" .. string.char(0x00, -- Name terminator 0x00, 0x10, -- Type (TXT) 0x00, 0x01) -- Class (IN) Another option is bin.pack (http://nmap.org/nsedoc/lib/bin.html).
I have about 2 hours of experience with lua too so I'm sure it shows :)
It looks like a good first script to me! Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- NMAP NSE script for iSCSI enumeration Michel Chamberland (Oct 10)
- Re: NMAP NSE script for iSCSI enumeration Fyodor (Oct 10)
- Re: NMAP NSE script for iSCSI enumeration Michel Chamberland (Oct 10)
- Re: NMAP NSE script for iSCSI enumeration Patrick Donnelly (Oct 10)
- Re: NMAP NSE script for iSCSI enumeration Michel Chamberland (Oct 10)
- Re: NMAP NSE script for iSCSI enumeration David Fifield (Oct 11)
- Re: NMAP NSE script for iSCSI enumeration Michel Chamberland (Oct 11)
- Re: NMAP NSE script for iSCSI enumeration Fyodor (Oct 10)