Re: nmap..... via web

[ajax <ajax () mobis com>]

> You mean this sanity checking?
>
>    # sanity check
>    if ($query->param('ip_address') =~ /[~`\#\$\!\%\^\&\*()\|\[\]\{\}\:\;\?]/ ) 
>    { print "<H1><tt>Sorry, Try again. </H1>";
>      exit; 
>    }
>
> and then later you call:
>
> $output = `$nmap $ipaddress 2>&1`;
>
> This doesn't look very sufficent to me.  For example, the banned chars
> don't include space or '-'.  So what is to stop someone from giving an IP

i added the '-' check... its hard to embed a %0D%0A because '%' is already
checked.  also added checking for '/'. i'll make the script have clickable
buttons for supporting nmap's options. Most of the code was ripped from a
cgi i wrote a couple years ago that did the same thing.  i personally
think a web interface to nmap only enhances the stupidity of the users
using the data it returns.  I feel sorry for the users who would rely
soley on such an interface and not understand the workings behind it.

Something else I did, was expand my extensions i've been doing to nmap to
include such things as rpc scanning for rpc services on a given
fingerprint match.  Another thing is that if no fingerprints are available
for a given IP, it will try to banner_check port 23 against of list of
predefined OS banners trying to manually figure out the ostype.  of course
its trivial to change login banners, a large percentage of hosts are
stock, though. i'm working on regular expression-like syntax in the
wait-for data.  what would be cool is if nmap did rpc scanning, threw
it into currenths with structures like struct rpcent, r_name specifically,
versions and ports would be nice also.  its about five lines of code to do
this. ;)

later

ajax