Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] rpc library; Portmapper program list stored in the

From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 30 Apr 2010 12:13:03 +0200
Hi Djalal,

I tested the patch against a Linux server running NFS and it works great.
My virtual OS X server behaves as badly as last time, so I don't think it makes a good reference.
If someone else has the possibility to try this patch out against OS X please let us know.

I'm uncertain about the memory implications of storing the rpcinfo table in the registry.
I guess if you scan a Class B-network and identify 1000's of hosts running RPC it could become a problem.
Cleaning up manually will probably be a problem as the script does not know if it is the last to use the cached data or 
not.
So, a weak keyed table, suggested by Patrick, is probably the best bet.

//Patrik

On 26 apr 2010, at 02.26, Djalal Harouni wrote:


nmap registry
Reply-To: 
In-Reply-To: <EFA094EA-99F4-4E54-AC30-453D3848BDD0 () cqure net>

On 2010-04-25 20:54:07 +0200, Patrik Karlsson wrote:

Hi Djalal,

Thanks for the patch, it looked good and I've commited it as r17391.

I would appreciate if someone could try to run the scripts rpcinfo,nfs-* (eg. --script rpcinfo,nfs-*) against a Mac 
OS X server.
I've done so against a 10.6.3 OS X server running in VMWare Fusion but I'm experiencing some problems.
When the scripts are run in parallel (per default) they almost always return with various errors.
Looking at packet captures reveals that the server detects Incorrect TCP checksums and resets the connection.

I'm not seeing this at all running against my other test platforms (mostly Linux) and I would like to make sure this 
error is specific to the OS X virtual test environment.


Hi Patrik,

These are simple patches to store the Portmapper program list into the nmap.registry[host.ip]['portmap'] table. With 
this patch the number of RPC DUMP CALLS will decrease from +40 packets to only one packet when running rpcinfo,nfs-* 
scripts against a single host, this can be useful when trying to hide from an IDS. I will try to look if we can make 
more optimizations with others procedures.
I have also added:
- "dependencies = {"rpcinfo"}" to all nfs-* scripts
- A simple mutex for the RPC DUMP CALL.

NB: I don't know if it will fix the Mac OS X server problems, thread: http://seclists.org/nmap-dev/2010/q2/279 and 
http://seclists.org/nmap-dev/2010/q2/256


NSE Question:
- Is there a trick to remove data from the nmap registry when we don't need it anymore ? to save memory.
example:
  - we are scanning a big network 

  - we are at host 10.10.1.1:
      - rpcinfo script stores some *data* into the nmap.registry['10.10.1.1'][rpc_data]
      - nfs-* scripts use this *data* which is in the nmap.registry['10.10.1.1'][rpc_data]

  - ...

  - we are at host 10.10.1.88:
      - at this time we don't need 10.10.1.1 *data* which is in the nmap.registry['10.10.1.1'][rpc_data]

      Question: is there a function or a trick to remove this *data* *automatically* in order to save memory, when we 
don't need it ?

thx for applying my previous patches :)


//Patrik

On 23 apr 2010, at 19.37, Djalal Harouni wrote:


Hi David,

This is another patch to add more RPC error stats/messages and to add more
debug output, this is against Patrik's last patches r17374.

thx.

On 2010-04-21 19:17:47 -0600, David Fifield wrote:

This is related to your patch, Djalal, but it affects the current code
and your patched code so I'm replying here.

I get errors if I run the nfs and rpc scripts quickly after restarting
nfsd on the remote. This is what I see with the current code if I run
the scan up to about 3 seconds after restarting nfsd.

PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
| rpcinfo:
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100021  0,1,3,4      877/udp  nlockmgr
|   100021  0,1,3,4     1022/tcp  nlockmgr
|   100024  1            905/udp  status
|_  100024  1           1021/tcp  status
| nfs-acls:
|_  Failed to list mount points
| nfs-dirlist:
|_  Failed to list mount points
| nfs-showmount:
|_  Failed to list mount points
| nfs-statfs:
|_  Failed to list mount points

Compare this to the output if I run later:

PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
| rpcinfo:
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          821/udp  mountd
|   100005  1,3         1009/tcp  mountd
|   100011  1,2          658/udp  rquotad
|   100021  0,1,3,4      877/udp  nlockmgr
|   100021  0,1,3,4     1022/tcp  nlockmgr
|   100024  1            905/udp  status
|_  100024  1           1021/tcp  status
| nfs-showmount:
|_  /Users/david 192.168.0.0
| nfs-statfs:
|   /Users/david
|_    ERROR: Mount failed
| nfs-acls:
|   /Users/david
|_    ERROR: Mount failed
| nfs-dirlist:
|   /Users/david
|_    ERROR: Mount failed

The change is even more obvious with the patched library. If I scan
within 3 seconds of restarting nfsd I get lots of errors.

NSE: 'nfs-dirlist' (thread: 0xa00ff70) against 192.168.0.190:111 threw an error!
./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil)
stack traceback:
      [C]: in function 'format'
      ./nselib/rpc.lua:1280: in function 'ShowMounts'
      ./scripts/nfs-dirlist.nse:47: in function <./scripts/nfs-dirlist.nse:40>
      (tail call): ?

NSE: 'nfs-statfs' (thread: 0xa018d00) against 192.168.0.190:111 threw an error!
./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil)
stack traceback:
      [C]: in function 'format'
      ./nselib/rpc.lua:1280: in function 'ShowMounts'
      ./scripts/nfs-statfs.nse:40: in function <./scripts/nfs-statfs.nse:37>
      (tail call): ?

NSE: 'nfs-showmount' (thread: 0xa0303f8) against 192.168.0.190:111 threw an error!
./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil)
stack traceback:
      [C]: in function 'format'
      ./nselib/rpc.lua:1280: in function 'ShowMounts'
      ./scripts/nfs-showmount.nse:39: in function <./scripts/nfs-showmount.nse:34>
      (tail call): ?

NSE: Finished 'rpcinfo' (thread: 0xa01a250) against 192.168.0.190:111.
NSE: 'nfs-acls' (thread: 0xa00e9d8) against 192.168.0.190:111 threw an error!
./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil)
stack traceback:
      [C]: in function 'format'
      ./nselib/rpc.lua:1280: in function 'ShowMounts'
      ./scripts/nfs-acls.nse:42: in function <./scripts/nfs-acls.nse:37>
      (tail call): ?

Completed NSE at 19:16, 0.11s elapsed
NSE: Script Scanning completed.
Nmap scan report for 192.168.0.190
Fetchfile found ./nmap-mac-prefixes
MAC prefix 0001C8 is duplicated in ./nmap-mac-prefixes; ignoring duplicates.
MAC prefix 080030 is duplicated in ./nmap-mac-prefixes; ignoring duplicates.
MAC prefix 080030 is duplicated in ./nmap-mac-prefixes; ignoring duplicates.
Host is up, received arp-response (0.00022s latency).
Scanned at 2010-04-21 19:16:52 MDT for 0s
PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
| rpcinfo:
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100021  0,1,3,4      877/udp  nlockmgr
|   100021  0,1,3,4     1022/tcp  nlockmgr
|   100024  1            905/udp  status
|_  100024  1           1021/tcp  status

The expected output is this.

PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
| rpcinfo:
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          915/udp  mountd
|   100005  1,3         1008/tcp  mountd
|   100011  1,2          652/udp  rquotad
|   100021  0,1,3,4      877/udp  nlockmgr
|   100021  0,1,3,4     1022/tcp  nlockmgr
|   100024  1            905/udp  status
|_  100024  1           1021/tcp  status
| nfs-showmount:
|_  /Users/david 192.168.0.0
| nfs-dirlist:
|   /Users/david
|_    ERROR: rpc.Helper.Dir: Mount: Reply state was not Accepted(0) as expected
| nfs-statfs:
|   /Users/david
|_    ERROR: rpc.Helper.ExportStats: Mount: Reply state was not Accepted(0) as expected
| nfs-acls:
|   /Users/david
|_    ERROR: rpc.Helper.GetAttributes: Mount: Reply state was not Accepted(0) as expected

This is with the Mac OS X nfsd.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


-- 
tixxdz
<rpc.lua.diff>_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77






-- 
tixxdz
<rpc.lua.diff><nfs-scripts.diff>


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: