Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Adding new NSE discovered targets to Nmap

From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 15 Aug 2010 22:40:58 +0200

On 13 aug 2010, at 17.40, Daniel Miller wrote:


On 08/12/2010 04:02 PM, Ron wrote:

On Thu, 12 Aug 2010 22:52:38 +0200 Patrik Karlsson<patrik () cqure net>
wrote:
  

About broadcast in NSE, do you need to do something to set
SO_BROADCAST on the socket or is this taken care of?
    

I'm *guessing* that's the issue, and I remember talking about enabling SO_BROADCAST on the list in the past. I don't 
think NSE has the ability to enable SO_BROADCAST, but I could be wrong.

  

//Patrik
    

SO_BROADCAST support was added to nsock, but is off by default. From nsock/include/nsock.h:

  /* Turns on or off broadcast support on new sockets. Default is off
      (0, false) set in nsp_new(). Any non-zero (true) value sets
      SO_BROADCAST on all new sockets (value of optval will be used
  directly
      in the setsockopt() call */
  void nsp_setbroadcast(nsock_pool nsp, int optval);

nsp_new() is called for NSE in nse_nsock.cc in luaopen_nsock(). To enable broadcast, a call to nsp_setbroadcast() 
must be made after that call.


So I looked into this a bit more as I was curios to test some new ideas out. 
I managed to make the setbroadcast call and have my NSE code send broadcasts out.
However, I ran into some trouble as all UDP sockets are connected to the destination address.

The man page for connect says:
"The parameter socket is a socket. If it is of type SOCK_DGRAM, this call specifies the peer with which the socket
  is to be associated; this address is that to which datagrams are to be sent, and the only address from which data-
  grams are to be received."

As far as I can tell this makes it difficult to receive any response at all to a broadcast request.
I made a quick test re-connecting the socket with the address family AF_UNSPEC immediately after the send was issued.

"Datagram sockets may dissolve the association by connecting to an
 invalid address, such as a null address or an address with the address
 family set to AF_UNSPEC (the error EAFNOSUPPORT will be harmlessly
 returned)."

This allowed the socket to receive the response from one of the clients responding to the broadcast request.

This obviously is NOT the solution, so currently I'm guessing the only way to pick up the response is by using pcap?
As I'm on OS X 10.6.4 that unfortunately doesn't work either. 

Am I missing something terribly obvious? If so could someone more familiar with the code please enlighten me?

//Patrik



Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: