Nmap Development mailing list archives

Re: NSEDoc @output for auth-spoof.nse

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 9 Apr 2010 04:44:40 +0000

I can probably dig up some fake ident spoofs.  I just had one last week.


Brandon

Sent from my phone. If you would like a digital signature of thismessage let me know and I'll sign it later.


On Apr 9, 2010, at 4:42, David Fifield <david () bamsoftware com> wrote:

On Fri, Apr 09, 2010 at 05:33:18AM +0100, Diman Todorov wrote:

On Thu, Apr 8, 2010 at 8:44 PM, David Fifield<david () bamsoftware com> wrote:
Can you send me an example of the output of the auth-spoof script?(It
used to be called ircZombieTest.) I'm trying to make all the scripts
have a proper @output section in the documentation.
that script is unlikely to produce any output. somebody has changedit
to use the comm lib which seems to not work as expected ;)

I simulate an identd spoofer like this:

Aristoteles:~ diman$ echo foo | sudo nc -l 113

then I use banner.nse - which is technically a glorified version of
auth-spoof (I used it because unlike auth-spoof it has some debuginfo
around the comm.get_banner call) and get this error:

NSE: ./scripts/banner.nse failed for 127.0.0.1 on tcp port 113.
Message: No Message.

Probably the nc dies after being connected to the first time (maybeyou

did a connect scan?). It works for me with

# ncat -l 113 --sh-exec "echo foo"
$ nmap localhost -p 113 --script=banner,auth-spoof

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-04-08 22:40 MDT
NSE: Script Scanning completed.
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0021s latency).
PORT    STATE SERVICE
113/tcp open  auth
|_banner: foo
|_auth-spoof: Spoofed reply: foo

I just want to know what a typical spoofed reply from an IRC zombie
really looks like. I spent some time today looking, and though I saw

reports that some malware does this, I could not find an example ofthe

output.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: NSEDoc @output for auth-spoof.nse Diman Todorov (Apr 08)
- Re: NSEDoc @output for auth-spoof.nse David Fifield (Apr 08)
  - Re: NSEDoc @output for auth-spoof.nse Brandon Enright (Apr 08)
    - Re: NSEDoc @output for auth-spoof.nse Brandon Enright (Apr 09)
    - Re: NSEDoc @output for auth-spoof.nse Fyodor (Apr 10)
  - Re: NSEDoc @output for auth-spoof.nse Diman Todorov (Apr 08)