Re: nmap-dev Digest, Vol 72, Issue 54

[Kamal Banga <banga.kamal () gmail com>]

I am a second year CSE student. I have seen that many-a-times nmap users
have to do intense scans. I know CUDA and a bit about multithreaded
programming. How about developing multithreaded code for nmap. And after all
it will be a brand image for nmap! as now-a-days softwares use it. Like
Matlab is available in both single and multi threaded applications.
Kamal

On Wed, Mar 23, 2011 at 4:52 AM, <nmap-dev-request () insecure org> wrote:

> Send nmap-dev mailing list submissions to
>        nmap-dev () insecure org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://cgi.insecure.org/mailman/listinfo/nmap-dev
> or, via email, send a message with subject or body 'help' to
>        nmap-dev-request () insecure org
>
> You can reach the person managing the list at
>        nmap-dev-owner () insecure org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of nmap-dev digest..."
>
>
> Today's Topics:
>
>   1. Re: [NSE] Draft - targets-sniffer.nse (Toni Ruottu)
>   2. Re: [NSE] Draft - targets-sniffer.nse (Nick Nikolaou)
>   3. Re: [NSE] SSL Fingerprint Matching (David Fifield)
>   4. Re: [NSE] Draft - targets-sniffer.nse (Patrick Donnelly)
>   5. Information about IPv6 project. (Nikhil Jindal)
>   6. Retrieving the current time via ICMP type 14 (Chris Datfung)
>   7. Re: Retrieving the current time via ICMP type 14 (jaydeep)
>   8. Default user agent patch (Hani Benhabiles)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 22 Mar 2011 21:17:39 +0200
> From: Toni Ruottu <toni.ruottu () iki fi>
> Subject: Re: [NSE] Draft - targets-sniffer.nse
> To: Nick Nikolaou <nikolasnikolaou1 () gmail com>
> Cc: nmap-dev () insecure org
> Message-ID:
>        <AANLkTinmWRG9wqtoWntVtwajeaxXAVf8sn13o4j040od () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> This thing is cool!
>
> It fails unless you are root, for understandable reasons. Do we have
> some kind of policy for scripts that require root? I think there
> should be a way for scripts to report this to nmap, and nmap should
> probably abort the scan if the user is has request root features while
> being nonroot. I am not sure, if this is possible at the moment. I am
> not sure I understand the big picture.
>
> It would be useful for the final version to take a filter argument
> that is used to filter out noise. Maybe we want to scan all service
> that one host is accessing, or maybe we want to scan all hosts that
> are accessing some service. I think there are some standard languages
> for defining such packet filtering. We should probably implement them
> in a library rather than each script specifically. What filtering
> languages do we want to use? Do we already have support for one of
> them?
>
> On Tue, Mar 22, 2011 at 8:44 PM, Nick Nikolaou
> <nikolasnikolaou1 () gmail com> wrote:
> > Hello everyone,
> >
> > Attached is a draft of a targets-sniffer script. The script sniffs for a
> > configured amount of a time and adds addresses from packets it sees in
> > newtargets. (https://secwiki.org/w/Nmap_Script_Ideas#targets-sniffer)
> >
> > The script still needs work but I was hoping to get some feedback from
> the
> > list.
> >
> > Example usage:
> > nmap -sL --script targets-sniffer.nse --script-args=newtargets
> >
> > This will perform a list scan on the IP addresses it sniffs, ignoring
> > duplicates and broadcasts. (You can use -d to see the IP addresses as
> they
> > are sniffed)
> >
> >
> > *Issues that need to be resolved:*
> >
> > 1) The sniffing interface is hard-coded at the moment. Is there a way to
> get
> > the active interface in a prerule script? Alternatively I could change
> the
> > rule to a hostrule. (and maybe a high enough runlevel to ensure the
> script
> > runs first?)
> >
> > 2) The pcap socket doesn't time out. ?The only way I got it to timeout
> was
> > to set the timeout value to <=1s. Even then if it sniffed a packet it
> > wouldn't timeout. I ended up using a temporary nmap.clock() based
> solution
> > in order to test the script.
> >
> > 3) I'm not really happy with the way the script extracts the IP addresses
> > from the packets at the moment.
> >
> > 4) Any other issues you find.
> >
> > Thanks for any feedback.
> > Nick
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://seclists.org/nmap-dev/
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 22 Mar 2011 19:46:05 +0000
> From: Nick Nikolaou <nikolasnikolaou1 () gmail com>
> Subject: Re: [NSE] Draft - targets-sniffer.nse
> To: Toni Ruottu <toni.ruottu () iki fi>
> Cc: nmap-dev () insecure org
> Message-ID:
>        <AANLkTikH_v=9n8_ijiweryUYDNm=yh9VMs4efHp1-X0j () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Thanks for the quick replies guys.
>
> I can't look into the other issues you mention about the script right now,
> > but
> > glancing at it I see you aren't using the Packet nselib.  Look at
> > nselib/packet.lua and the various raw packet scripts (ipidseq, qscan,
> > path-mtu, firewalk) to see how to use it (the nselib provides more than
> > what
> > scripts use right now IIRC).
>
>
> For this you should use the packet library:
> > http://nmap.org/nsedoc/lib/packet
>
>
> Thanks. I did see other scripts using the Packet library but I was having
> trouble getting the IP addresses. I guess I have some more reading to do.
>
>
> We don't have a way for scripts to get the list of interfaces, but
> > Djalal has a patch to do it: http://seclists.org/nmap-dev/2011/q1/291.
> > It hasn't been added yet because there isn't a script to use it, but you
> > can make it a part of your patch if it helps.
>
>
>  I'll see if/how I could incorporate that, thanks.
>
>
>  On 22 March 2011 19:17, Toni Ruottu <toni.ruottu () iki fi> wrote:
>
>
>
> It fails unless you are root, for understandable reasons.
>
>
> I forgot to mention that. I'll make sure I add it to the description field.
>
> Nick
>
> On 22 March 2011 19:17, Toni Ruottu <toni.ruottu () iki fi> wrote:
>
> > This thing is cool!
> >
> > It fails unless you are root, for understandable reasons. Do we have
> > some kind of policy for scripts that require root? I think there
> > should be a way for scripts to report this to nmap, and nmap should
> > probably abort the scan if the user is has request root features while
> > being nonroot. I am not sure, if this is possible at the moment. I am
> > not sure I understand the big picture.
> >
> > It would be useful for the final version to take a filter argument
> > that is used to filter out noise. Maybe we want to scan all service
> > that one host is accessing, or maybe we want to scan all hosts that
> > are accessing some service. I think there are some standard languages
> > for defining such packet filtering. We should probably implement them
> > in a library rather than each script specifically. What filtering
> > languages do we want to use? Do we already have support for one of
> > them?
> >
> > On Tue, Mar 22, 2011 at 8:44 PM, Nick Nikolaou
> > <nikolasnikolaou1 () gmail com> wrote:
> > > Hello everyone,
> > >
> > > Attached is a draft of a targets-sniffer script. The script sniffs for
> a
> > > configured amount of a time and adds addresses from packets it sees in
> > > newtargets. (https://secwiki.org/w/Nmap_Script_Ideas#targets-sniffer)
> > >
> > > The script still needs work but I was hoping to get some feedback from
> > the
> > > list.
> > >
> > > Example usage:
> > > nmap -sL --script targets-sniffer.nse --script-args=newtargets
> > >
> > > This will perform a list scan on the IP addresses it sniffs, ignoring
> > > duplicates and broadcasts. (You can use -d to see the IP addresses as
> > they
> > > are sniffed)
> > >
> > >
> > > *Issues that need to be resolved:*
> > >
> > > 1) The sniffing interface is hard-coded at the moment. Is there a way
> to
> > get
> > > the active interface in a prerule script? Alternatively I could change
> > the
> > > rule to a hostrule. (and maybe a high enough runlevel to ensure the
> > script
> > > runs first?)
> > >
> > > 2) The pcap socket doesn't time out.  The only way I got it to timeout
> > was
> > > to set the timeout value to <=1s. Even then if it sniffed a packet it
> > > wouldn't timeout. I ended up using a temporary nmap.clock() based
> > solution
> > > in order to test the script.
> > >
> > > 3) I'm not really happy with the way the script extracts the IP
> addresses
> > > from the packets at the moment.
> > >
> > > 4) Any other issues you find.
> > >
> > > Thanks for any feedback.
> > > Nick
> > >
> > > _______________________________________________
> > > Sent through the nmap-dev mailing list
> > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > Archived at http://seclists.org/nmap-dev/
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 22 Mar 2011 12:47:01 -0700
> From: David Fifield <david () bamsoftware com>
> Subject: Re: [NSE] SSL Fingerprint Matching
> To: Mak Kolybabi <mak () kolybabi com>
> Cc: nmap-dev <nmap-dev () insecure org>
> Message-ID: <20110322194700.GW27978 () gusto bamsoftware com>
> Content-Type: text/plain; charset=us-ascii
>
> On Sun, Mar 20, 2011 at 10:13:40PM -0500, Mak Kolybabi wrote:
> > On 2011-02-22 13:24, David Fifield wrote:
> > > To save space, how about storing hashes in the database without colons
> > > separating bytes? They can continue to be shown in output.
> >
> > The script now has a function that adds the colons back in when the file
> is read
> > in.
> >
> > > The output looks like this:
> > >
> > >     |_ssl-known-key:
> 00:28:E7:D4:9C:FA:4A:A5:98:4F:E4:97:EB:73:48:56:07:87:E4:96 is in the
> database with reason Little Black Box 0.1.
> > > Please change it to be
> > >
> > >     |_ssl-known-key: Found in Little Black Box 0.1 -
> http://code.google.com/p/littleblackbox/ (certificate hash:
> 00:28:E7:D4:9C:FA:4A:A5:98:4F:E4:97:EB:73:48:56:07:87:E4:96)
> > > This will give users a little more context if they don't know what the
> > > script is for.
> >
> > The script output has been flipped around to match the second format.
> >
> > > Related to that, it would be nice if the description string didn't have
> to be
> > > repeated for hashes with the same description. Could the data file be
> reworked
> > > into something like this:
> > >
> > > [Little Black Box 0.1 - http://code.google.com/p/littleblackbox/]
> > > 00:28:E7:D4:9C:FA:4A:A5:98:4F:E4:97:EB:73:48:56:07:87:E4:96
> > > 00:3A:E5:45:D6:9C:47:FB:1C:C2:53:59:AA:D7:54:62:D6:D7:89:90
> > > 00:3C:F1:AB:48:B4:6C:41:5E:48:15:10:3F:F8:28:AC:7C:60:D5:51
> >
> > The script has been changed to accept sections in square brackets. Any
> > fingerprint before the first section is ignored and a warning is printed.
>
> Thanks for finishing this and for writing the script in the first place.
> It's always a pleasure to work with your code. I've just committed it.
>
> David Fifield
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 22 Mar 2011 15:53:56 -0400
> From: Patrick Donnelly <batrick () batbytes com>
> Subject: Re: [NSE] Draft - targets-sniffer.nse
> To: Toni Ruottu <toni.ruottu () iki fi>
> Cc: Nick Nikolaou <nikolasnikolaou1 () gmail com>, nmap-dev () insecure org
> Message-ID:
>        <AANLkTik5P4UgM2Z8m5uR5n4fLmcu9pNdcUakNRUcu2ER () mail gmail com>
> Content-Type: text/plain; charset=UTF-8
>
> On Tue, Mar 22, 2011 at 3:17 PM, Toni Ruottu <toni.ruottu () iki fi> wrote:
> > This thing is cool!
> >
> > It fails unless you are root, for understandable reasons. Do we have
> > some kind of policy for scripts that require root?
>
> Well, ideally you would just throw an error in the script if you don't
> have root, something like:
>
> if not nmap.is_privileged() then error "i require r00t" end
>
> we could even make that an (empty) module to require:
>
> require "root"
>
> I think in the past we decided it was decided that errors thrown this
> way can't be used because it ends up aborting the entire scan. In
> earlier versions of NSE, this would actually occur in the middle of a
> scan which made it *really* annoying. Now we have NSE loaded at Nmap
> startup so this isn't quite as big an issue.
>
> I myself would like to see these types of errors ignored by NSE (as
> in, "the script isn't broken, but it can't run for X reason").
> Currently, as an example, we have these awkward constructions in
> mysql-brute.nse:
>
> -- ripped from ssh-hostkey.nse
> -- openssl is required for this script
> if not pcall(require,"openssl") then
>    portrule = function() return false end
>    action = function() end
>    stdnse.print_debug( 3, "Skipping %s script because OpenSSL is missing.",
>        SCRIPT_NAME)
>    return;
> end
>
> I think it should be possible to modify (hook) require so that these
> types of errors remain silent (except with debugging == 3).
>
> > I think there
> > should be a way for scripts to report this to nmap, and nmap should
> > probably abort the scan if the user is has request root features while
> > being nonroot. I am not sure, if this is possible at the moment. I am
> > not sure I understand the big picture.
>
> We could make it so if a user requests a script "by name" that Nmap
> aborts the scan when a required feature is missing, e.g. openssl or
> r00t. This is similar to how we increase the verbosity when the script
> is specified "by name" on the command line.
>
> --
> - Patrick Donnelly
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 23 Mar 2011 02:16:23 +0530
> From: Nikhil Jindal <dcenikhil () gmail com>
> Subject: Information about IPv6 project.
> To: nmap-dev () insecure org
> Message-ID:
>        <AANLkTi=Fp5G7DBaftQTbyq7mbYcpL_MJhbtHZgU5f-4W () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi
>
> I am Nikhil Jindal, pursuing B.Tech in Information Technology. I have deep
> interest in networking and I want to work for nmap as a GSoc intern. I have
> proficiency working with C/C++ and I have worked on network manager of
> Linux
> kernel. I have also implemented some small projects in networking just out
> of interest. I would like to know more about this project "IPv6 Expert".
> Please let me know the requirements that I need to have to be capable to
> work on this project.
>
> Regards,
>
> Nikhil Jindal
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 22 Mar 2011 23:36:35 +0200
> From: Chris Datfung <chris.datfung () gmail com>
> Subject: Retrieving the current time via ICMP type 14
> To: nmap-dev () insecure org
> Message-ID:
>        <AANLkTim_jq1DT1_w9cmB-gbrC+m+G2-apAJi0fbqZWzh () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Can nmap display the current time from a remote host that has ICMP
> timestamps open? The -PP option does not include this in its open strangely
> enough.
>
> Thanks,
> Chris
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 23 Mar 2011 04:02:40 +0530
> From: jaydeep <jaydeepkhandelwal () gmail com>
> Subject: Re: Retrieving the current time via ICMP type 14
> To: nmap-dev () insecure org
> Message-ID:
>        <AANLkTinfK8YvW=kxwJFwR3CvnmfWzzuLePRi+M1Am4qp () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> nmap also does not provide victim host name if victim is on linux machine.
>
>
>
> On Wed, Mar 23, 2011 at 3:06 AM, Chris Datfung <chris.datfung () gmail com
> > wrote:
>
> > Can nmap display the current time from a remote host that has ICMP
> > timestamps open? The -PP option does not include this in its open
> strangely
> > enough.
> >
> > Thanks,
> > Chris
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://seclists.org/nmap-dev/
>
>
>
> --
> Jaydeep Khandelwal
> Btech 3rd year
> IIIT Hyderabad
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 23 Mar 2011 00:22:10 +0100
> From: Hani Benhabiles <kroosec () gmail com>
> Subject: Default user agent patch
> To: nmap-dev () insecure org
> Message-ID:
>        <AANLkTikUaevwRK2SY5P3w=3AmCxspyqEH_Vd2xjsSM1V () mail gmail com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi list,
>
> I've noticed that in the http nselib the default user agent is hard coded
> as
> "Mozilla/5.0 (compatible; Nmap Scripting Engine;
> http://nmap.org/book/nse.html)"
> this could be easily detected by an IDS/IPS.
>
> I've attached a patch that changes it to the user agent pfa Firefox 3.6 web
> browser on a Windows 7 machine.
> This would make the http traffic generated look more authentic.
>
> Hani
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: http.lua.patch
> Type: text/x-diff
> Size: 685 bytes
> Desc: not available
> URL: <
> http://cgi.insecure.org/mailman/private/nmap-dev/attachments/20110323/fc1ae7f0/attachment.bin
> >
>
> ------------------------------
>
> _______________________________________________
> nmap-dev mailing list
> nmap-dev () insecure org
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
>
>
> End of nmap-dev Digest, Vol 72, Issue 54
> ****************************************
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/