Nmap Development mailing list archives
Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts
From: Richard Miles <richard.k.miles () googlemail com>
Date: Thu, 10 Jun 2010 14:23:54 -0500
Hello Very interesting this plugin. Is it part of the safe plugin? I mean, if I just call nmap -sC ip it will be executed? Talking about NFS I have a security doubt for a long time, maybe someone can clarify it for me. On NFS, if there is a exported directory to everyone we can access it, and if there are files of other users we can use this trick to bypass it http://www.vulnerabilityassessment.co.uk/nfs.htm But in a few cases, you see a exported directory to everyone and you mount it, but when you try list (ls) it says "access denied". There is something that can be done in this cases to bypass this restriction? Thanks On Thu, Jun 10, 2010 at 2:13 PM, Djalal Harouni <tixxdz () gmail com> wrote:
On 2010-06-07 16:18:09 -0700, Fyodor wrote:On Thu, Jun 03, 2010 at 05:15:56PM -0700, commit-mailer () insecure org wrote:Author: djalal Log: Default action now for nfs-ls script is to list NFS exports with their access controls. Modified: nmap-exp/djalal/scripts/nfs-ls.nse Modified: nmap-exp/djalal/scripts/nfs-ls.nse ============================================================================== --- nmap-exp/djalal/scripts/nfs-ls.nse (original) +++ nmap-exp/djalal/scripts/nfs-ls.nse Thu Jun 3 17:15:56 2010 @@ -6,25 +6,21 @@ -- @output -- PORT STATE SERVICE -- 111/tcp open rpcbind --- | nfs-ls: --- | /home/storage/backup (1) --- | www.cqure.net --- | /home (5) --- | admin --- | lost+found --- | patrik --- | storage --- |_ web +-- | nfs-ls: +-- | /tmp +-- | mode: drwxrwxrwx uid: 0 gid: 0 +-- | /home/storage/backup +-- |_ mode: drwxr-xr-x uid: 0 gid: 0Hi, I've committed some patches to the rpc.lua and nfs-ls code. The current output of the script is: PORT STATE SERVICE 111/tcp open rpcbind | nfs-ls: | Arguments: | maxfiles: 10 (file listing output limited), time = atime | NFS Export /tmp: | drwxrwxrwx uid: 0 gid: 0 4.0K Jun 06 18:20:42 2010 /tmp | srwxr-xr-x uid: 0 gid: 0 0.0B Jun 10 10:08:28 2010 wpa_ctrl_22880-1 | NFS Export /home/storage/backup: | drwxr-xr-x uid: 1000 gid: 100 4.0K Jun 10 11:42:41 2010 /home/storage/backup | -rw-r--r-- uid: 1000 gid: 1002 0.0B Jun 10 08:34:32 2010 filetest | drwx------ uid: 1000 gid: 100 16.0K Feb 05 17:05:34 2010 lost+found | drwxrwxr-x uid: 1000 gid: 100 4.0K Mar 27 19:08:40 2010 net_packet | -rw-r--r-- uid: 0 gid: 0 5.0B Jun 10 11:32:59 2010 rootfile |_ lrwxrwxrwx uid: 1000 gid: 1002 8.0B Jun 10 08:34:59 2010 symlink these lines: | Arguments: | maxfiles: 10 (file listing output limited), time = atime are only shown if the verbose mode is used. This new script uses the ReadDirPlus procedure so for the moment there is only support for NFSv3. Also recursion through directories is beeing implemented. The attributes show by this script are the local based system file attributes as they are returned by: GETATTR READDIRPLUS etc procedures. These permissions may differ from the NFS permissions which are defined in the /etc/exports, so even if you can mount an export as uid 1000 and the GETATTR shows that uid 1000 has read/write access you can't modify the system if it is exported ro (readonly) by NFS exportfs. To determine the current access rights of the user who mounted the remote NFS export point we must use the ACCESS procedure coupled with a bit mask of the permissions to check. The current script takes two arguments: nfs-ls.maxfiles: takes a number to limit the amount of file listing. nfs-ls.mactime: "m" or "a" or "c" one of the mactimes to use in the output. So any feedbacks about the output (remove uid or gid) or if you can propose a better output, or a better methode/trick to perform some of the NFS scans, pls speak up. Keep in mind that this script is for discovery, perhaps we'll have another intrusive NFS script to find files by permissions, write issues etc. thx._______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/-- tixxdz _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r17816 - nmap-exp/djalal/scripts Fyodor (Jun 07)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Djalal Harouni (Jun 10)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Richard Miles (Jun 10)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Djalal Harouni (Jun 12)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Patrik Karlsson (Jun 12)
- Re: [NSE] nfs-ls script feedbacks Djalal Harouni (Jun 13)
- Re: [NSE] nfs-ls script new version Djalal Harouni (Jun 29)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Richard Miles (Jun 10)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Djalal Harouni (Jun 10)