Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...)

From: kx <kxmail () gmail com>
Date: Wed, 17 Feb 2010 21:37:21 -0500
About Windows support: Have you (or anyone) tested raw sending to a
non-Target? How are you testing this generally? If you have even just a
short script snippet, that is fine.


I have a script I have been toying with for this, and just tested it.

Windows XP SP3 on a wireless LAN. Sadly only one route right now.

nmap -sS -p 80 --script=junk.nse google.com

For testing, I sent a custom TCP SYN to port 80 on 192.168.1.1

It worked fine, but the only issue is the route/interface to
192.168.1.1 is the same as the route/interface to the target host
(google.com).

As for how I have been testing for packet sending, I am using the same
code as Kris (please ignore my ugly modifications, I haven't
generalize the payload code - thus the A fill right now).

-- I mooched off of Marek's RR script for some of the following functions
-- (I split them into separate functions and redid them a bit).
checksum = function(tcp)
        tcp:tcp_count_checksum(tcp.ip_len)
        tcp:ip_count_checksum()
end

newtcpseq = function(tcp)
        tcp:tcp_set_seq(math.random(1, 0x7fffffff))
end

newtcpsport = function(tcp)
        tcp:tcp_set_sport(math.random(0x401, 0xffff))
end

genericpkt = function(host, port, totlen)
        local pkt = bin.pack("H",
                "4500" .. -- IPv4, len 5, dif serv 00
                "0000" .. -- total len
                "abcd" .. -- ip id
                "4000" .. -- DF set
                "8006" .. -- TTL 128, proto TCP
                "0000" .. -- checksum
                "0000 0000" .. -- src ip
                "0000 0000" .. -- dst ip
                "0000" .. -- tcp src port
                "0000" .. -- tcp dst port
                "0000 0000" .. -- seq #
                "0000 0000" .. -- ack #
                "5002" .. -- hdr len 20, SYN
                "0c00" .. -- win size 3072
                "0000" .. -- tcp checksum
                "0000" -- urg pointer
        )
        pkt = pkt .. string.rep("A", (totlen - 40))
        local tcp = packet.Packet:new(pkt, pkt:len())

        tcp:ip_set_len(totlen)
        tcp:ip_set_bin_src(host.bin_ip_src)
        tcp:ip_set_bin_dst(host.bin_ip)
        tcp:tcp_set_dport(port)

        newtcpsport(tcp)
        newtcpseq(tcp)

        checksum(tcp)

        return tcp
end

Then down in the main:

action = function(host)
        math.randomseed( os.time() )
local sock = nmap.new_dnet()
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: