Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Always practice safe software: a lesson from UnrealIRCd

From: Ron <ron () skullsecurity net>
Date: Fri, 25 Jun 2010 15:05:21 -0500
On Fri, 25 Jun 2010 10:27:02 -0600 David Fifield
<david () bamsoftware com> wrote:

On Thu, Jun 24, 2010 at 10:05:04AM -0500, Ron wrote:

The attached version of the code, in my testing, had no false
positives and no false negatives. The downside is, it's incredibly
slow. 

A mutex + 10 second delay and 20 second timeout had 5 good, 1 false
positive. A mutex + 25 second delay + 35 second timeout = perfect, 5
out of 5 on my test list with no false positives/negatives. So
basically, 25 seconds for every infected host, 35 seconds for every
host that times out, and basically no time for hosts that aren't
affected either way. 


Ron, please commit this as it stands. It is very very slow but it
seems to be accurate. In my test I got 7 servers correctly detected,
with 4 false positives, in 4 hours. I will send you the list of hosts
I found off-list.

The timing data are being corrupted by the time taken for the remote
server to do reverse DNS and ident lookups. One server I saw has a
36-second timeout on ident lookups, which makes it a false positive.
I'm testing a version that receives all the server's initial banner
(including host name and ident lookups) before sending the AB command
and starting the timer. But I think the script is ready to be added to
revision control now.

David Fifield

All right, it's committed. 

Thanks!
-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: _bin
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: