Re: [BUG] Exclusions directive not honored by NSE version detection

[Djalal Harouni <tixxdz () gmail com>]

On 2010-06-17 13:39:17 -0500, Kris Katterjohn wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 17 Jun 2010 19:21:50 +0100
> Djalal Harouni <tixxdz () gmail com> wrote:
>
> > On 2010-04-30 17:16:59 -0500, Tom Sellers wrote:
> > > I have recently come across a bug involving port exclusions when
> > > performing version
> > > detection.   I plan to work on finding a fix for the issue this
> > > weekend, but I thought I would go
> > > ahead and send the info to the list now in the event that my work
> > > was delayed or someone
> > > had an idea of exactly where the issue lay.
> > >
> > > Recent scanning shows that the Exclude directive in the
> > > nmap-service-probes file is being
> > > ignored by NSE version detection if more than one port is scanned on
> > > a host.  The nmap
> > > built in version detection skips the port, but NSE runs version
> > > detection scripts against the
> > > port anyway.
> >
> > Hi Tom,
> >
> > Attached is a patch against the latest nmap svn revision.
> >
> > This patch introduce a new function port_is_excluded() in the
> > shortport.lua I've modified all the portrules of version category
> > scripts, so this needs testing before merging the patch.
> >
> > Reasons for modifying portrules:
> > * I didn't want to modify the behaviour of portnumber() and service()
> > functions from the shortport.lua library.
> >
> > * We must be sure that the excludedports list is initialized with the
> > correct data before executing/evaluating the portrule functions.
>
> I have a couple of thoughts after briefly looking at the patch.
>
> In some scripts you add a new shortport require just for the exclusion
> test in the portrule, but since a portrule only covers one port
> couldn't you just as well use the nmap.port_is_excluded?  Admittedly
> this isn't a huge deal since shortport has pretty much always been
> around, but I'm curious if there is some other reason for this (since
> it looks like the shortport one is just a simple wrapper with support
> for multiple ports in a table).  Perhaps I've missed something in my
> brevity?
Yes we could also add the nmap require to the scripts and call the
nmap.port_is_excluded.  I've used this wrapper call in the shortport
library simply to follow the same logic of portnumber() and service()
functions and to offre more control, but you are right the current call
of port_is_excluded() uses only one port, I've no objections to remove it
and I must admit that I've a preference to use the function directly from
the nmap lib, but after some nse meeting discussion the proposed
solution was to use it from shortport library, and I think that we'll
change this.

> And while I agree that modifying the existing shortport functions like
> portnumber() is not the way to go, I think creating a new function or
> option (or whatever) for exclusion support is a good thing if it's not
> really ugly or hacky.  Perhaps you've thought about this and came up
> with no good solution?  I haven't given thought to how to go about it
> yet, but I think having this would be good for version scripts for all
> of the reasons shortport exists already for everything else.
Well, to clarify this was discussed in nse meetings and with Patrick,
perhaps the current solution is not perfect so we'll discuss this again
and any help would be welcome.

Thx for your comments.

> Cheers,
> Kris Katterjohn
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIcBAEBAgAGBQJMGmvVAAoJEEQxgFs5kUfuSd4P/3IzqXV1OGs7oRPpB87hlsY0
> UrkAXa9X5jJWCgF+tjwQ5c2R2cqhGxvwDAVLl4FKzbU4Qseu4KM2VBrz/c66iV0S
> uwzw1QJX4lupmbnaigOnPEvjjxXntI1TbMq1pKLXkTDp9QDBHmONLAEVoyfgfrxy
> C4XwJemv4tH+sp9w+deeXJOdk3uX2jZmThsqF3x/g6wJRGYS6kFjCCgQFI3FBRyw
> l/QN74ON1jwewFmWQw/+Vt0E2MacdfW1eDO7lpc9vC/d1v+zeWyuFAoB7vtsD7xa
> oU+o1GVG+vtU9D+p8Fie+e3csbl6cbJ7wcWRSdvqm8YWzyh2X1JBGj4AG8A36pgJ
> B6X5knDpUSiNDaX/thlQejqZydAqxIlUKGh8JhPAGvl92zw/46sutKhUOX8rv7C9
> 7Kz+42Q8qhpcuNn8BVxdH12EK5lxqe/Ln2DMFdmtJzW9yVLvXnYjGgRYnfWwKyh+
> DQcg7ONxxFomm1WcFZLItosO65tycVlJT4JcKdB63lYjD81uHxHdXJhNaAXWeTsz
> XOrso8f7nTPdV/dcs/+SnJZjsbHLGLAyNJFXhy0c86Gk9SN3csCK4CTffN91bP76
> SNdOwKHHCaseUbJQSlp0o7l39TWVs2TxSgj02Z4Of6IFXFGWXG+F2VdquxcCVgd2
> 9v0DpBsLb8i7vpUJo2p4
> =G7sX
> -----END PGP SIGNATURE-----

-- 
tixxdz
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/