Nmap Development mailing list archives
Re: Scripting NMAP -> or maybe NSE?"
From: Jess <jess () thecharbneaus com>
Date: Thu, 1 Mar 2007 14:15:59 -0500
On Tue, Feb 27, 2007 at 06:15:44AM +0000, Brandon Enright wrote:
On Mon, 26 Feb 2007 17:34:34 -0500 Jess <jess () thecharbneaus com> wrote:Hello, Reposting this in the nmap-dev list per suggestion from Fyodor. I wrote a perl script several years ago that would catalog all of the open ports on our network (the network I worked on at the time). I was perusing my code recently, and noticed that I had originally built this to run as root. With the newer operating systems, specifically the Linux distro's, most are using sudo. So I was looking through the mailing list archives at insecure.org, and noticed that there is now a NSE. The overall idea of this app is to run daily, and catalog all of the open ports, then run the next day and compare the results. Kind of like a AIDE for the network. So, I guess I have two questions: 1.> Is sudo safe for this? I would like to run my scripts (I am rewriting now) as monitor, but make a call to nmap to get port information for the current host in the scan. Is sudo a good method? Any suggestions around the best way to implement this? It seems I have read articles/man pages saying that sudo is not so good as it "remembers" the credentials for a given user. Thoughts? 2.> NSE. Is this better/worse for scripting of nmap? Pros/Cons? Thanks Everyone! JessI'm assuming if you are trying to do this in a script sudo will be passwordless. Give "sudo nmap --interactive" and then "!/bin/bash" a try and you'll probably decide you don't want to go the sudo way. One of the more common Unix ways to run a binary securly as root in a script or for unprivileged users is to make a small (compiled) program that understands a few preset command line options and is SUID'd to root. Something like this pseudo C here: /* Run Nmap securely as root */ #include <stdlib.h> #include <stdio.h> int main (...) { /* whatever needs to be here */ if (arg1 == "quick") { system("nmap -T5 -v ... -oA default_file <preset ips>"); } else if (arg1 == "everything") { system("nmap -sV -O2 -v -p- -T4 ... -oA default_file <preset ips>"); } else if { /* you get the idea */ } /* More of whatever needs to be here */ } Then you would compile your program and do a "chmod +s root_nmap". If you wanted root_nmap to be able to actually take IPs rather than have preset scans you'll need to be EXTRA careful that you don't allow anything other than IPs. I bet more than one person on this list has a nice little nmap root wrapper that understand presets or a very limited set of options and would be willing to share. Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu
Hi Brandon, Thanks for the reply! This sounds like exactly what I had in mind. I am not an especially strong C programmer, but will whip something up over the next few days. Should I repost here for some critique or should I shoot it over to one of the comp.c programming newsgroups? Thanks again for your suggestions! Jess _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Scripting NMAP -> or maybe NSE? Jess (Feb 26)
- Re: Scripting NMAP -> or maybe NSE? Joshua D. Abraham (Feb 26)
- Re: Scripting NMAP -> or maybe NSE? Jess (Mar 01)
- Re: Scripting NMAP -> or maybe NSE?" Brandon Enright (Feb 26)
- Re: Scripting NMAP -> or maybe NSE?" Jess (Mar 01)
- Re: Scripting NMAP -> or maybe NSE? Joshua D. Abraham (Feb 26)