Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Always practice safe software: a lesson from UnrealIRCd

From: Ron <ron () skullsecurity net>
Date: Fri, 2 Jul 2010 11:27:40 -0500
On Wed, 30 Jun 2010 18:36:12 -0600 David Fifield
<david () bamsoftware com> wrote:

I just committed (r18508) the revisions I planned to make to the
script. These greatly improve its speed and slightly increase its
accuracy.

The main obstacle was that most servers run a reverse-DNS lookup and
ident lookup, and don't process any commands until those have timed
out. The timeouts were being included in the total time recorded by
the script, so the times were longer than they should have been. If
the timeouts were long enough, a server would appear to be vulnerable
even if it wasn't.

I got around this by first sending a dummy command (TIME) immediately
upon connection. When we get a response to TIME (":hostname 451 TIME
:You have not registered"), then we start the timer and send the "AB"
sleep command. I reduced the delay to 8 seconds, and here is the
distribution of times I found:

  0
####################################################################################################################################################################################################################################################################################
 1
####################################################################################################################################################################################################################################################################################
 ########################################
  2
  3
  4
  5
  6
  7
  8 ####
  9 ##

Each # is two hosts. You can see these timing data are much cleaner
than those at http://seclists.org/nmap-dev/2010/q2/937.

I removed the mutex that allowed only one copy of the script to run
at a time. I think the cause of inaccuracy was timeout corruption, not
parallelism. These are results of different versions.

The original committed script with mutex:
7 correctly detected (missed 4), 4 false positives.
Nmap done: 592 IP addresses (592 hosts up) scanned in 14455.28 seconds

No mutex:
8 correctly detected (missed 3), 2 false positives.
Nmap done: 592 IP addresses (592 hosts up) scanned in 703.65 seconds

r18508:
11 correctly detected, 0 false positives.
Nmap done: 592 IP addresses (592 hosts up) scanned in 650.75 seconds

David Fifield


Excellent! This will make a good model for future scripts that have to deal with time-based results. 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: _bin
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: