Nmap Development mailing list archives
Re: NSE: Packet retransmit breaking rdp-ntlm-info #1682 (Not just rdp-ntml-info but all NSE scripts)
From: Paulino Calderon <paulino () calderonpale com>
Date: Sun, 11 Aug 2019 09:49:22 -0500
Hey Tom, I just spotted this behavior too on another script when debugging a problem Fotis reported me so I’m guessing it is something related to packet fragmentation and it is affecting all NSE scripts. Similar issue as you described, script was crashing due to packet fragmentation. Attaching the pcap that made me spot this.
Attachment:
dicom-ping.pcapng
Description:
Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com
On Aug 10, 2019, at 3:24 PM, Tom Sellers <nmap () fadedcode net> wrote: All, I'm tossing a copy of GitHub issue #1682 ( https://github.com/nmap/nmap/issues/1682 ) here so that more people may see it. Copied from the issue: I've seen some reports, which I was able to reproduce, that rdp-ntlm-info didn't work against Windows 7. While testing I noticed that some of the packets were being sent twice which was breaking the protocol negotiation. This seems to happen when scanning with -sS but not -sT. This appears to be an issue with Nmap or NSE and how raw packets are handled. You can observe the retransmission using Wireshark / tcpdump. Reproduce error sudo nmap -sS --script rdp-ntlm-info -p 3389 -n target_ip Workaround sudo nmap -sT --script rdp-ntlm-info -p 3389 -n target_ip When running with --packet-trace I only see Nmap send the packet once (in the output) in either case. If you view the traffic with Wireshark you can see that it is re-transmitted. In the image linked below Packet 15 is the original, packet 16 is the retransmission: https://user-images.githubusercontent.com/6500426/62826433-14768e00-bb81-11e9-8f05-24b17fe265dc.png I was able to create a simple reproducer which removes the protocol from the equation. Command sudo nmap -sS --script +test -p 3389 target_ip Script named 'test.nse' local nmap = require "nmap" local stdnse = require "stdnse" local shortport = require "shortport" categories = {"safe"} portrule = shortport.port_or_service("3389", "ms-wbt-server") action = function( host, port ) socket = nmap.new_socket() socket:set_timeout(5000) if ( not(socket:connect(host, port)) ) then return false, "Failed connecting to server" end local status, err = socket:send("If a packet hits a pocket on a socket on a port..") if ( not(status) ) then return false, err end stdnse.debug1("Sent, now waiting...") _, data = socket:receive() stdnse.debug1("Closing") socket:close() return data end Environment $ nmap --version Nmap version 7.70SVN ( https://nmap.org ) Platform: x86_64-unknown-linux-gnu Compiled with: nmap-liblua-5.3.5 openssl-1.1.1 libssh2-1.8.0 libz-1.2.11 nmap-libpcre-7.6 libpcap-1.8.1 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: epoll poll select Linux sammich 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_6 - Tom _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE: Packet retransmit breaking rdp-ntlm-info #1682 Tom Sellers (Aug 10)
- Re: NSE: Packet retransmit breaking rdp-ntlm-info #1682 (Not just rdp-ntml-info but all NSE scripts) Paulino Calderon (Aug 11)