Nmap Development mailing list archives
Re: [NSE] rpc library; Portmapper program list stored in the
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 30 Apr 2010 12:13:03 +0200
Hi Djalal, I tested the patch against a Linux server running NFS and it works great. My virtual OS X server behaves as badly as last time, so I don't think it makes a good reference. If someone else has the possibility to try this patch out against OS X please let us know. I'm uncertain about the memory implications of storing the rpcinfo table in the registry. I guess if you scan a Class B-network and identify 1000's of hosts running RPC it could become a problem. Cleaning up manually will probably be a problem as the script does not know if it is the last to use the cached data or not. So, a weak keyed table, suggested by Patrick, is probably the best bet. //Patrik On 26 apr 2010, at 02.26, Djalal Harouni wrote:
nmap registry Reply-To: In-Reply-To: <EFA094EA-99F4-4E54-AC30-453D3848BDD0 () cqure net> On 2010-04-25 20:54:07 +0200, Patrik Karlsson wrote:Hi Djalal, Thanks for the patch, it looked good and I've commited it as r17391. I would appreciate if someone could try to run the scripts rpcinfo,nfs-* (eg. --script rpcinfo,nfs-*) against a Mac OS X server. I've done so against a 10.6.3 OS X server running in VMWare Fusion but I'm experiencing some problems. When the scripts are run in parallel (per default) they almost always return with various errors. Looking at packet captures reveals that the server detects Incorrect TCP checksums and resets the connection. I'm not seeing this at all running against my other test platforms (mostly Linux) and I would like to make sure this error is specific to the OS X virtual test environment.Hi Patrik, These are simple patches to store the Portmapper program list into the nmap.registry[host.ip]['portmap'] table. With this patch the number of RPC DUMP CALLS will decrease from +40 packets to only one packet when running rpcinfo,nfs-* scripts against a single host, this can be useful when trying to hide from an IDS. I will try to look if we can make more optimizations with others procedures. I have also added: - "dependencies = {"rpcinfo"}" to all nfs-* scripts - A simple mutex for the RPC DUMP CALL. NB: I don't know if it will fix the Mac OS X server problems, thread: http://seclists.org/nmap-dev/2010/q2/279 and http://seclists.org/nmap-dev/2010/q2/256 NSE Question: - Is there a trick to remove data from the nmap registry when we don't need it anymore ? to save memory. example: - we are scanning a big network - we are at host 10.10.1.1: - rpcinfo script stores some *data* into the nmap.registry['10.10.1.1'][rpc_data] - nfs-* scripts use this *data* which is in the nmap.registry['10.10.1.1'][rpc_data] - ... - we are at host 10.10.1.88: - at this time we don't need 10.10.1.1 *data* which is in the nmap.registry['10.10.1.1'][rpc_data] Question: is there a function or a trick to remove this *data* *automatically* in order to save memory, when we don't need it ? thx for applying my previous patches :)//Patrik On 23 apr 2010, at 19.37, Djalal Harouni wrote:Hi David, This is another patch to add more RPC error stats/messages and to add more debug output, this is against Patrik's last patches r17374. thx. On 2010-04-21 19:17:47 -0600, David Fifield wrote:This is related to your patch, Djalal, but it affects the current code and your patched code so I'm replying here. I get errors if I run the nfs and rpc scripts quickly after restarting nfsd on the remote. This is what I see with the current code if I run the scan up to about 3 seconds after restarting nfsd. PORT STATE SERVICE REASON 111/tcp open rpcbind syn-ack | rpcinfo: | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100021 0,1,3,4 877/udp nlockmgr | 100021 0,1,3,4 1022/tcp nlockmgr | 100024 1 905/udp status |_ 100024 1 1021/tcp status | nfs-acls: |_ Failed to list mount points | nfs-dirlist: |_ Failed to list mount points | nfs-showmount: |_ Failed to list mount points | nfs-statfs: |_ Failed to list mount points Compare this to the output if I run later: PORT STATE SERVICE REASON 111/tcp open rpcbind syn-ack | rpcinfo: | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,3 821/udp mountd | 100005 1,3 1009/tcp mountd | 100011 1,2 658/udp rquotad | 100021 0,1,3,4 877/udp nlockmgr | 100021 0,1,3,4 1022/tcp nlockmgr | 100024 1 905/udp status |_ 100024 1 1021/tcp status | nfs-showmount: |_ /Users/david 192.168.0.0 | nfs-statfs: | /Users/david |_ ERROR: Mount failed | nfs-acls: | /Users/david |_ ERROR: Mount failed | nfs-dirlist: | /Users/david |_ ERROR: Mount failed The change is even more obvious with the patched library. If I scan within 3 seconds of restarting nfsd I get lots of errors. NSE: 'nfs-dirlist' (thread: 0xa00ff70) against 192.168.0.190:111 threw an error! ./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil) stack traceback: [C]: in function 'format' ./nselib/rpc.lua:1280: in function 'ShowMounts' ./scripts/nfs-dirlist.nse:47: in function <./scripts/nfs-dirlist.nse:40> (tail call): ? NSE: 'nfs-statfs' (thread: 0xa018d00) against 192.168.0.190:111 threw an error! ./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil) stack traceback: [C]: in function 'format' ./nselib/rpc.lua:1280: in function 'ShowMounts' ./scripts/nfs-statfs.nse:40: in function <./scripts/nfs-statfs.nse:37> (tail call): ? NSE: 'nfs-showmount' (thread: 0xa0303f8) against 192.168.0.190:111 threw an error! ./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil) stack traceback: [C]: in function 'format' ./nselib/rpc.lua:1280: in function 'ShowMounts' ./scripts/nfs-showmount.nse:39: in function <./scripts/nfs-showmount.nse:34> (tail call): ? NSE: Finished 'rpcinfo' (thread: 0xa01a250) against 192.168.0.190:111. NSE: 'nfs-acls' (thread: 0xa00e9d8) against 192.168.0.190:111 threw an error! ./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil) stack traceback: [C]: in function 'format' ./nselib/rpc.lua:1280: in function 'ShowMounts' ./scripts/nfs-acls.nse:42: in function <./scripts/nfs-acls.nse:37> (tail call): ? Completed NSE at 19:16, 0.11s elapsed NSE: Script Scanning completed. Nmap scan report for 192.168.0.190 Fetchfile found ./nmap-mac-prefixes MAC prefix 0001C8 is duplicated in ./nmap-mac-prefixes; ignoring duplicates. MAC prefix 080030 is duplicated in ./nmap-mac-prefixes; ignoring duplicates. MAC prefix 080030 is duplicated in ./nmap-mac-prefixes; ignoring duplicates. Host is up, received arp-response (0.00022s latency). Scanned at 2010-04-21 19:16:52 MDT for 0s PORT STATE SERVICE REASON 111/tcp open rpcbind syn-ack | rpcinfo: | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100021 0,1,3,4 877/udp nlockmgr | 100021 0,1,3,4 1022/tcp nlockmgr | 100024 1 905/udp status |_ 100024 1 1021/tcp status The expected output is this. PORT STATE SERVICE REASON 111/tcp open rpcbind syn-ack | rpcinfo: | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,3 915/udp mountd | 100005 1,3 1008/tcp mountd | 100011 1,2 652/udp rquotad | 100021 0,1,3,4 877/udp nlockmgr | 100021 0,1,3,4 1022/tcp nlockmgr | 100024 1 905/udp status |_ 100024 1 1021/tcp status | nfs-showmount: |_ /Users/david 192.168.0.0 | nfs-dirlist: | /Users/david |_ ERROR: rpc.Helper.Dir: Mount: Reply state was not Accepted(0) as expected | nfs-statfs: | /Users/david |_ ERROR: rpc.Helper.ExportStats: Mount: Reply state was not Accepted(0) as expected | nfs-acls: | /Users/david |_ ERROR: rpc.Helper.GetAttributes: Mount: Reply state was not Accepted(0) as expected This is with the Mac OS X nfsd. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/-- tixxdz <rpc.lua.diff>_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/-- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77-- tixxdz <rpc.lua.diff><nfs-scripts.diff>
-- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] rpc library; Portmapper program list stored in the Djalal Harouni (Apr 25)
- Re: [NSE] rpc library; Portmapper program list stored in the Patrick Donnelly (Apr 25)
- Re: [NSE] rpc library; Portmapper program list stored in the Patrik Karlsson (Apr 30)
- Re: [NSE] rpc library; Portmapper program list stored in the David Fifield (May 04)
- Re: [NSE] rpc library; Portmapper program list stored in the Djalal Harouni (May 04)
- Re: [NSE] rpc library; Portmapper program list stored in the David Fifield (May 04)
- Re: [NSE] rpc library; Portmapper program list stored in the Djalal Harouni (May 04)
- Re: [NSE] rpc library; Portmapper program list stored in the David Fifield (May 04)
- Re: [NSE] rpc.lua Portmapper list cached in the NSE registry Djalal Harouni (May 14)
- Re: [NSE] rpc.lua Portmapper list cached in the NSE registry Patrik Karlsson (May 15)
- Re: [NSE] rpc.lua Portmapper list cached in the NSE registry Patrick Donnelly (May 15)
- Re: [NSE] rpc.lua Portmapper list cached in the NSE registry Djalal Harouni (May 15)
- Re: [NSE] rpc.lua Portmapper list cached in the NSE registry Patrick Donnelly (May 15)
- Re: [NSE] rpc.lua Portmapper list cached in the NSE registry Patrik Karlsson (May 16)