ANNOUNCE: New HCSW utility: unix2inet-bridge.c

[doug () hcsw org]

Hi nmap-dev,

HCSW is pleased to announce a simple but useful utility:

http://hcsw.org/downloads/unix2inet-bridge.c

When you're examining the network setup of a unix machine, naturally
you are usually most interested in AF_INET and AF_INET6, the address
families for IPv4 and IPv6. With version detection (-sV) you can gather
all sorts of interesting information from these services. But what do
you do to identify sockets of the lesser-known family AF_UNIX? Tools
like lsof/netstat are helpful, but of course we want to use Nmap!

AF_UNIX is potentially packed with interesting, unexplored services.
Here is a list of them on my Debian laptop, many of which aren't (yet)
identified with -sV:

# netstat -an|grep '^unix'|grep LISTEN
unix  2      [ ACC ]     STREAM     LISTENING     6915     @/var/run/hald/dbus-0hFDCqTi1k
unix  2      [ ACC ]     STREAM     LISTENING     8864     /tmp/orbit-doug/linc-cca-0-590c56e8c2648
unix  2      [ ACC ]     STREAM     LISTENING     11726    /var/run/postgresql/.s.PGSQL.5432
unix  2      [ ACC ]     STREAM     LISTENING     7356     /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     7427     /var/run/dirmngr/socket
unix  2      [ ACC ]     STREAM     LISTENING     7674     /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     7474     /dev/printer
unix  2      [ ACC ]     STREAM     LISTENING     6916     @/var/run/hald/dbus-S0JFPFQnT2
unix  2      [ ACC ]     STREAM     LISTENING     7625     /tmp/.gdm_socket
unix  2      [ ACC ]     STREAM     LISTENING     7930     @/tmp/dbus-lGbuMgSqxq
unix  2      [ ACC ]     STREAM     LISTENING     6900     /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     7918     /tmp/ssh-cuhDDB3014/agent.3014
unix  2      [ ACC ]     STREAM     LISTENING     7921     /tmp/ssh-duhDDB3014/agent.3014
unix  2      [ ACC ]     STREAM     LISTENING     7985     /tmp/ksocket-doug/kdeinit__0
unix  2      [ ACC ]     STREAM     LISTENING     7987     /tmp/ksocket-doug/kdeinit-:0
unix  2      [ ACC ]     STREAM     LISTENING     7996     /tmp/.ICE-unix/dcop3126-1203374319
unix  2      [ ACC ]     STREAM     LISTENING     8096     /tmp/.ICE-unix/3137
unix  2      [ ACC ]     STREAM     LISTENING     8018     /tmp/ksocket-doug/klauncherPP5nnc.slave-socket
unix  2      [ ACC ]     STREAM     LISTENING     8854     /tmp/orbit-doug/linc-cce-0-14a91fe49129c

unix2inet-bridge.c lets us bridge these unix sockets into the inet domain,
primarily so we can run Nmap on them, but also as a general-purpose socket
bridge between families.

First we compile the bridge program:

# gcc -Wall -O3 unix2inet-bridge.c -o unix2inet-bridge

Next we pick an inet port and a unix domain socket to bridge, ensuring that
we have the necessary port and filesystem privileges. Let's pick the port
31337 and the postgres unix socket /var/run/postgresql/.s.PGSQL.5432:

# ./unix2inet-bridge 31337 /var/run/postgresql/.s.PGSQL.5432

This command will pause indefinitely, bridging all connections from port
31337 to the unix socket. We could've put an & at the end of the command
to run it in the background instead.

Now we can run Nmap (or any other AF_INET capable program) against port 31337:

# ./nmap -sV -p 31337 localhost

Starting Nmap 4.53 ( http://nmap.org ) at 2008-02-18 16:37 PST
Interesting ports on localhost.localdomain (127.0.0.1):
PORT      STATE SERVICE    VERSION
31337/tcp open  postgresql PostgreSQL DB

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.280 seconds


Sweet. Now kill the unix2inet-bridge process before somebody else finds it!


Doug Hoyte and HCSW Labs

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org