Nmap Development mailing list archives
Re: Always practice safe software: a lesson from UnrealIRCd
From: Ron <ron () skullsecurity net>
Date: Fri, 2 Jul 2010 11:27:40 -0500
On Wed, 30 Jun 2010 18:36:12 -0600 David Fifield <david () bamsoftware com> wrote:
I just committed (r18508) the revisions I planned to make to the script. These greatly improve its speed and slightly increase its accuracy. The main obstacle was that most servers run a reverse-DNS lookup and ident lookup, and don't process any commands until those have timed out. The timeouts were being included in the total time recorded by the script, so the times were longer than they should have been. If the timeouts were long enough, a server would appear to be vulnerable even if it wasn't. I got around this by first sending a dummy command (TIME) immediately upon connection. When we get a response to TIME (":hostname 451 TIME :You have not registered"), then we start the timer and send the "AB" sleep command. I reduced the delay to 8 seconds, and here is the distribution of times I found: 0 #################################################################################################################################################################################################################################################################################### 1 #################################################################################################################################################################################################################################################################################### ######################################## 2 3 4 5 6 7 8 #### 9 ## Each # is two hosts. You can see these timing data are much cleaner than those at http://seclists.org/nmap-dev/2010/q2/937. I removed the mutex that allowed only one copy of the script to run at a time. I think the cause of inaccuracy was timeout corruption, not parallelism. These are results of different versions. The original committed script with mutex: 7 correctly detected (missed 4), 4 false positives. Nmap done: 592 IP addresses (592 hosts up) scanned in 14455.28 seconds No mutex: 8 correctly detected (missed 3), 2 false positives. Nmap done: 592 IP addresses (592 hosts up) scanned in 703.65 seconds r18508: 11 correctly detected, 0 false positives. Nmap done: 592 IP addresses (592 hosts up) scanned in 650.75 seconds David Fifield
Excellent! This will make a good model for future scripts that have to deal with time-based results. -- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86
Attachment:
_bin
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jul 02)