Nmap Development mailing list archives
Re: [nmap-svn] r21714 - nmap/todo
From: Fyodor <fyodor () insecure org>
Date: Thu, 13 Jan 2011 01:10:22 -0800
On Wed, Jan 12, 2011 at 06:53:27PM +0100, Luis MartinGarcia. wrote:
why don't we make it optional and allow users to simply pass "--echo-client"? Well, the reason why I chose to make it mandatory is because otherwise, the target host would have to be supplied before the "--echo-client" flag, which seems a bit counter-intuitive to me.
I agree, that would be a terrible UI.
So the thing is that if Nping is compiled without OpenSSL
Remember that this is a rare situation, so we don't need to over-optimise for it. The Nmap Windows, Mac, and Linux binaries we distribute all include SSL, and I imagine that most Linux distributions include SSL support in their Nmap package as well. And users who compile from source will get SSL as long as they have SSL development libraries installed, unless they specifically request to omit it.
and we make users pass "--no-crypto", they still need to supply a passphrase, which is also a bit counter-intuitive. nping --echo-client "unused_passphrase" echo.nmap.org --no-crypto
Well, they'd probably just run: nping --echo-client "" --no-crypto echo.nmap.org Yes, the "" argument is a little annoying, but OK if we document it.
1. Make the passphrase an optional parameter and make users supply the hostname before "--echo-client" or "--echo-server".
I agree with you that this is unacceptable.
2. Leave it as a mandatory parameter and just warn the user if "--no-crypto" was not supplied and there is no OpenSSL.
Maybe we should give an error and quit rather than just warn. Users might not notice the warning (especially if they run the server and/or client with a script) and could end up way more exposed than they expect. If both the client and server have no SSL, the program could continue working but without the security they expected when they gave a passphrase. Also, right now the Nping man page suggests using --no-crypto for public echo servers. We might suggest using the empty passphrase ("") for this instead. That way the client users don't have to always remember to pass --no-crypto. We don't really want to get them in that habit anyway. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r21714 - nmap/todo Luis MartinGarcia. (Jan 12)
- Re: [nmap-svn] r21714 - nmap/todo Fyodor (Jan 13)
- Re: [nmap-svn] r21714 - nmap/todo Luis MartinGarcia. (Jan 13)
- Re: [nmap-svn] r21714 - nmap/todo Luis MartinGarcia. (Jan 13)
- Message not available
- Re: [nmap-svn] r21714 - nmap/todo Luis MartinGarcia. (Jan 18)
- Re: [nmap-svn] r21714 - nmap/todo Fyodor (Jan 19)
- Re: [nmap-svn] r21714 - nmap/todo Fyodor (Jan 13)