Nmap Development mailing list archives

Re: Nmap Online

From: David Matousek <david () matousec com>
Date: Thu, 30 Nov 2006 11:00:01 +0100

I see, --interactive is now forbidden, but even when it was not,
there was no how to insert anything on the standard input of the Nmap process.
The website interface offers no interface for this and shell commands injections
were and are forbidden.

Hans Nilsson wrote:

2. I just ment that through the --interactive mode you can normally
execute shell commands. (But as you said, it's not an issue on your
site.)

On Wed, 29 Nov 2006 19:22:14 +0100, "David Matousek"
<david () matousec com> said:

Hello,

1) Thanks for --interactive, will be added. It is not a problem even now,
because
such Nmap session would be killed after timeouted. But of course, it is
better
to add it.

2) You can not execute shell-commands (erm :) you should not be able to).

3) You can scan local network but the machine firewall will show you
nothing.
Maybe also a good idea to add to filter just to save a few ticks of
processor time.

Thanks!

-- 
David Matousek

Founder and Chief Representative of Matousec - Transparent security
http://www.matousec.com/

Ron Bowes wrote:
 > Hans Nilsson wrote:
 >> That might be prudent. I noticed that the --interactive flag doesn't
 >> seem to be blacklisted and you can execute shell-commands from there and
 >> everything. But it might not be an issue.
 >
 > I'm not sure if you can send commands with --interactive, but you're
 > right, it seems dangerous.
 >
 > Another idea -- don't allow people to scan the local network
 > (192.168.0.0/24).  Just a suggestion :)
 >
 > _______________________________________________
 > Sent through the nmap-dev mailing list
 > http://cgi.insecure.org/mailman/listinfo/nmap-dev
 > Archived at http://SecLists.Org
 >
 >



-- 
David Matousek

Founder and Chief Representative of Matousec - Transparent security
http://www.matousec.com/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Nmap Online David Matousek (Nov 28)
- Re: Nmap Online Hans Nilsson (Nov 28)
  - Re: Nmap Online Diman Todorov (Nov 28)
- Re: Nmap Online Ron Bowes (Nov 28)
  - Re: Nmap Online Hans Nilsson (Nov 29)
    - Re: Nmap Online Ron Bowes (Nov 29)
    - Re: Nmap Online David Matousek (Nov 29)
    - Re: Nmap Online Ron Bowes (Nov 29)
    - Re: Nmap Online David Matousek (Nov 30)
    - Re: Nmap Online Hans Nilsson (Nov 30)
    - Re: Nmap Online David Matousek (Nov 30)