Re: NSE: Packet retransmit breaking rdp-ntlm-info #1682 (Not just rdp-ntml-info but all NSE scripts)

[Paulino Calderon <paulino () calderonpale com>]

Hey Tom,

I just spotted this behavior too on another script when debugging a problem Fotis reported me so I’m guessing it is 
something related to packet fragmentation and it is affecting all NSE scripts. Similar issue as you described, script 
was crashing due to packet fragmentation. Attaching the pcap that made me spot this.

Attachment: dicom-ping.pcapng
Description:

Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com



> On Aug 10, 2019, at 3:24 PM, Tom Sellers <nmap () fadedcode net> wrote:
>
> All,
>  I'm tossing a copy of GitHub issue #1682 ( https://github.com/nmap/nmap/issues/1682 ) here so that more people may 
> see it.
>
> Copied from the issue:
>
>
>
> I've seen some reports, which I was able to reproduce, that rdp-ntlm-info didn't work against Windows 7. While 
> testing I noticed that some of the packets were being sent twice which was breaking the protocol negotiation. This 
> seems to happen when scanning with -sS but not -sT.
>
> This appears to be an issue with Nmap or NSE and how raw packets are handled.
>
> You can observe the retransmission using Wireshark / tcpdump.
>
> Reproduce error
>
> sudo nmap -sS --script rdp-ntlm-info -p 3389  -n   target_ip
>
>
> Workaround
>
> sudo nmap -sT --script rdp-ntlm-info -p 3389  -n   target_ip
>
>
> When running with --packet-trace I only see Nmap send the packet once (in the output) in either case.
>
> If you view the traffic with Wireshark you can see that it is re-transmitted.
>
> In the image linked below Packet 15 is the original, packet 16 is the retransmission:
> https://user-images.githubusercontent.com/6500426/62826433-14768e00-bb81-11e9-8f05-24b17fe265dc.png
>
>
>
> I was able to create a simple reproducer which removes the protocol from the equation.
>
> Command
>
> sudo nmap -sS --script +test -p 3389 target_ip
>
> Script named 'test.nse'
>
> local nmap = require "nmap"
> local stdnse = require "stdnse"
> local shortport = require "shortport"
>
> categories = {"safe"}
>
> portrule = shortport.port_or_service("3389", "ms-wbt-server")
>
> action = function( host, port )
>
>  socket = nmap.new_socket()
>  socket:set_timeout(5000)
>  if ( not(socket:connect(host, port)) ) then
>    return false, "Failed connecting to server"
>  end
>
>  local status, err = socket:send("If a packet hits a pocket on a socket on a port..")
>  if ( not(status) ) then
>    return false, err
>  end
>
>  stdnse.debug1("Sent, now waiting...")
>  _, data = socket:receive()
>
>  stdnse.debug1("Closing")
>  socket:close()
>  return data
> end
>
>
> Environment
>
> $ nmap --version
> Nmap version 7.70SVN ( https://nmap.org )
> Platform: x86_64-unknown-linux-gnu
> Compiled with: nmap-liblua-5.3.5 openssl-1.1.1 libssh2-1.8.0 libz-1.2.11 nmap-libpcre-7.6 libpcap-1.8.1 
> nmap-libdnet-1.12 ipv6
> Compiled without:
> Available nsock engines: epoll poll select
>
> Linux sammich 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_6
>
>
> - Tom
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/