Nmap Development mailing list archives
Re: NSEDoc @output for auth-spoof.nse
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 10 Apr 2010 02:12:08 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 9 Apr 2010 04:44:40 +0000 Brandon Enright <bmenrigh () ucsd edu> wrote:
I can probably dig up some fake ident spoofs. I just had one last week. Brandon
Well here is the output as the script stands now: PORT STATE SERVICE REASON 113/tcp open auth syn-ack |_auth-spoof: Spoofed reply: 0, 0 : USERID : UNIX : OGJdvM |_banner: 0, 0 : USERID : UNIX : FWzVK |_auth-owners: SbYvw I have some some suggestions for this script though. Before I start bashing Diman's script though, IIRC this was the first of second NSE script ever written. It wasn't meant to be a production/release script but just a mock-up example of the types of script that could be written. So here are my suggestions. First, we should name this script "ident-spoof" rather than "auth-spoof". It is much more commonly referred to as ident now and "auth-spoof" sounds like we are spoofing some sort of authorization. Second, there are a heck of a lot of ways ident gets spoofed that are easily detectable that this script misses. This script just checks to see if a banner comes back on port 113 before any data is sent. Here are the common ways I see ident being spoofed: * An ident response comes unexpectedly (this script doesn't check if the response is ident, it just checks if ANY response came back). * Often spoofed ident response comes back after any line sent, not just a valid one. We could send "abc" and see if we get a valid ident response back. * Often you don't have to ask about a real connection, You can ask something like "123, 456" and get a properly formatted response back. * Often the ports you request aren't the ports that are in the response. * Often the response is a random name that changes from request to request (see my scan above). * Often the ident server rate-limits to about 1 request every minute or so. This usually causes the port to behave as though it was tcpwrapped by the time NSE is run (if -sV was run before NSE). We should check to see if the port acts as thought it was tcpwrapped and warn of possible ident-spoofing rate-limiting. Finally, we should clean up the script output a bit so it doesn't just echo the banner. Maybe something like: |_auth-spoof: Immediately got spoofed reply for user: root Or perhaps: |_auth-spoof: Spoofing detected: Unrequested ident reply for user "root" In terms of useful NSE programming tasks enhancing auth-spoof is probably one of the easiest. I'm willing to dust of my rusty NSE/Lua skills but if somebody else wants to try their hand at a bit of NSE this is a great place to start. If somebody does do this, I'll happily write fake ident daemons to implement the above spoofing tricks so they can test their script. Regards, Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAku/3oEACgkQqaGPzAsl94KptQCeNGx5G6ZmSExNisxyG49lLWRn oSUAnjgyWNDFrCjWa6bBOca5Eh/zrViv =APc2 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSEDoc @output for auth-spoof.nse Diman Todorov (Apr 08)
- Re: NSEDoc @output for auth-spoof.nse David Fifield (Apr 08)
- Re: NSEDoc @output for auth-spoof.nse Brandon Enright (Apr 08)
- Re: NSEDoc @output for auth-spoof.nse Brandon Enright (Apr 09)
- Re: NSEDoc @output for auth-spoof.nse Fyodor (Apr 10)
- Re: NSEDoc @output for auth-spoof.nse Brandon Enright (Apr 08)
- Re: NSEDoc @output for auth-spoof.nse Diman Todorov (Apr 08)
- Re: NSEDoc @output for auth-spoof.nse David Fifield (Apr 08)