Re: Scripting NMAP -> or maybe NSE?"

[Jess <jess () thecharbneaus com>]

On Tue, Feb 27, 2007 at 06:15:44AM +0000, Brandon Enright wrote:
> On Mon, 26 Feb 2007 17:34:34 -0500
> Jess <jess () thecharbneaus com> wrote:
>
> > Hello,
> >   Reposting this in the nmap-dev list per suggestion from Fyodor.
> >
> > I wrote a perl script several years ago that would catalog all of the
> > open ports on our network (the network I worked on at the time).  I was
> > perusing my code recently, and noticed that I had originally built this
> > to run as root. With the newer operating systems, specifically the Linux
> > distro's, most are using sudo.  So I was looking through the mailing list
> > archives at insecure.org, and noticed that there is now a NSE.
> >
> > The overall idea of this app is to run daily, and catalog all of the open
> > ports, then run the next day and compare the results.  Kind of like a
> > AIDE for the network.
> >
> > So, I guess I have two questions:
> >
> > 1.> Is sudo safe for this?  I would like to run my scripts (I am
> > rewriting now) as monitor, but make a call to nmap to get port
> > information for the current host in the scan.  Is sudo a good method?
> > Any suggestions around the best way to implement this?  It seems I have
> > read articles/man pages saying that sudo is not so good as it "remembers"
> > the credentials for a given user. Thoughts?
> >
> > 2.> NSE.  Is this better/worse for scripting of nmap?   Pros/Cons?
> >
> > Thanks Everyone!
> >
> > Jess
>
> I'm assuming if you are trying to do this in a script sudo will be
> passwordless.  Give "sudo nmap --interactive" and then "!/bin/bash" a try
> and you'll probably decide you don't want to go the sudo way.
>
> One of the more common Unix ways to run a binary securly as root in a
> script or for unprivileged users is to make a small (compiled) program that
> understands a few preset command line options and is SUID'd to root.
>
> Something like this pseudo C here:
>
> /* Run Nmap securely as root */
>
> #include <stdlib.h>
> #include <stdio.h>
>
> int main (...) {
>
>    /* whatever needs to be here */
>
>    if (arg1 == "quick") {
>       system("nmap -T5 -v ... -oA default_file <preset ips>");
>    }
>    else if (arg1 == "everything") {
>       system("nmap -sV -O2 -v -p- -T4 ... -oA default_file <preset ips>");
>    }
>    else if { /* you get the idea */ }
>
>    /* More of whatever needs to be here */
>
> }
>
>
> Then you would compile your program and do a "chmod +s root_nmap".  If you
> wanted root_nmap to be able to actually take IPs rather than have preset
> scans you'll need to be EXTRA careful that you don't allow anything other
> than IPs.
>
> I bet more than one person on this list has a nice little nmap root wrapper
> that understand presets or a very limited set of options and would be
> willing to share.
>
> Brandon
>
> -- 
> Brandon Enright
> Network Security Analyst
> UCSD ACS/Network Operations
> bmenrigh () ucsd edu
Hi Brandon,
  Thanks for the reply!  This sounds like exactly what I had in mind.  I am not
an especially strong C programmer, but will whip something up over the next few
days.  Should I repost here for some critique or should I shoot it over to one
of the comp.c programming newsgroups? 

Thanks again for your suggestions!

Jess


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org