Re: NSE issue with shortport

["Eddie Bell" <ejlbell () gmail com>]

Looks like portnumber() doesn't have support for that form of construct

   if (port.protocol == proto and port.state == state)

Which will never be true as port.state is a string and state is a
table. I've attached a patch, could you try it out?

- eddie

On 13/11/2007, Thomas Buchanan <TBuchanan () thecompassgrp net> wrote:
> I was doing some testing with 4.23RC1 today, and I noticed an issue with
> NSE matching rules for a couple of scripts that use the
> shortport.portnumber library routine for portrule.  The rule doesn't
> seem to match, even if the port is correctly detected as open.
>
> For example:  I'm scanning a system with SNMP enabled, so I used the
> SNMPsysdesr.nse script to see what information I could get out of it.
>
> # nmap -sU --script=SNMPsysdesr.nse --script-trace -d -p 161
> 192.168.xxx.yyy
> Starting Nmap 4.23RC1 ( http://insecure.org ) at 2007-11-13 16:21 CST
> <snip output>
> SCRIPT ENGINE: Initiating script scanning.
> SCRIPT ENGINE: Script scanning .
> SCRIPT ENGINE: Using
> /home/tbuchanan/apps/libexec/nmap/nse/?.so;./?.so;/usr/local/lib/lua/5.1
> /?.so;/usr/local/lib/lua/5.1/loadall.so to search for C-modules and
> /home/tbuchanan/apps/share/nmap/nselib/?.lua;./?.lua;/usr/local/share/lu
> a/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/lib/lua/5.1/?
> .lua;/usr/local/lib/lua/5.1/?/init.lua for Lua-modules
> SCRIPT ENGINE: Initialized 1 rules
> SCRIPT ENGINE: Matching rules.
> SCRIPT ENGINE: Running scripts.
> SCRIPT ENGINE: Script scanning completed.
> Host 192.168.xxx.yyy appears to be up ... good.
> Interesting ports on 192.168.xxx.yyy:
> PORT    STATE         SERVICE REASON
> 161/udp open|filtered snmp    no-response
> Final times for host: srtt: 1739 rttvar: 5000  to: 100000
> ...
>
> The relevant portrule section from SNMPsysdesr.nse:
>
> require "shortport"
>
> portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"})
>
>
> I'm not exactly sure how this shortport rule works, but it looks to me
> like this should trigger a match on the system I scanned.  I looked at
> the definition of the portnumber function in the shortport.lua file, but
> nothing obvious jumped out at me.
>
> If I go back to a older copy of the script, with the long, explicit
> definition of the portrule, it works fine:
>
> #  nmap -sU --script=SNMPv1.nse --script-trace -d -p 161 192.168.xxx.yyy
> Starting Nmap 4.23RC1 ( http://insecure.org ) at 2007-11-13 16:22 CST
> <snip>
> SCRIPT ENGINE: Initiating script scanning.
> SCRIPT ENGINE: Script scanning .
> SCRIPT ENGINE: Using
> /home/tbuchanan/apps/libexec/nmap/nse/?.so;./?.so;/usr/local/lib/lua/5.1
> /?.so;/usr/local/lib/lua/5.1/loadall.so to search for C-modules and
> /home/tbuchanan/apps/share/nmap/nselib/?.lua;./?.lua;/usr/local/share/lu
> a/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/lib/lua/5.1/?
> .lua;/usr/local/lib/lua/5.1/?/init.lua for Lua-modules
> SCRIPT ENGINE: Initialized 1 rules
> SCRIPT ENGINE: Matching rules.
> SCRIPT ENGINE: Will run
> /home/tbuchanan/apps/share/nmap/scripts/SNMPv1.nse against
> 192.168.xxx.yyy:161
> SCRIPT ENGINE: Running scripts.
> SCRIPT ENGINE: Runlevel: 1.000000
> Initiating SCRIPT ENGINE at 16:22
> <snip debug output>
> SCRIPT ENGINE: Script scanning completed.
> Host 192.168.xxx.yyy appears to be up ... good.
> Interesting ports on 192.168.xxx.yyy:
> PORT    STATE SERVICE REASON
> 161/udp open  snmp    no-response
> |  SNMPv1: .Hardware: x86 Family 15 Model 2 Stepping 8 AT/AT COMPATIBLE
> - Software: Windows NT Version 4.0  (Build Number: 1381 Uniprocessor
> Free )
> |    System uptime: 5 days, 20:5:21.24 (50432124 timeticks)
> |    System name: NT4SERVER-SP2
> |    System location: Test lab
> |_   System contact: <snip>
>
>
> This same issue also shows up in MSSQLm.nse.  Any ideas?  I have the
> full output of the scans if any more information is required.
>
> Thanks,
>
> Thomas
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

Attachment: short.patch.gz
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org