Nmap SoC 2008 Success Stories

[Fyodor <fyodor () insecure org>]

Hi Folks.  The Google Summer of Code pencils-down date was in August,
and we've been busily integrating code since then.  Thanks to the
continued help of the participants themselves as well as the wider
Nmap community, I'm happy to report that most of the code has now been
integrated!  As this report will demonstrate, the 2008 Nmap/Google
Summer of Code was another huge success for the project!

I'll start with the raw numbers:

In 2005, 70% (7 out of 10) students succeeded, and they tackled some
wonderful projects!  This was the year that Zenmap (then named Umit),
Ncat, and the 2nd generation OS detection systems got their starts.
Doug Hoyte first made major contributions that summer, and continues
helping to this day.  I was the mentor for all 10 students, and I had
them all send me patches rather than providing SVN access.  Nmap
didn't even have a public SVN tree at this point.  Here is a more
detailed writeup:
http://slashdot.org/comments.pl?sid=183143&cid=15133184

In 2006, I had a better idea of what works and what doesn't and was
able to improve the success rate to 80% (8 out of 10).  Perhaps the
most exciting project was the Nmap Scripting Engine, which has become
one of Nmap's most compelling features.  We also finished and
integrated the 2nd generation OS detection system, and Zenmap (Umit)
continued to improve.  I again mentored the students myself without
providing SVN access.  Read the details at
http://seclists.org/nmap-dev/2007/q1/0235.html .

In 2007, our success rate grew again to 83% (5 of 6)!  I attribute
part of the success to me being less of a control freak.  For example,
I took only 4 students compared to 10 the previous year.  The
remaining two 2006 students were mentored by Diman Todorov, who
created NSE as a 2006 SoC student.  I also made the Nmap SVN server
public and provided commit access to the students.  This year we
formally integrated Zenmap into the Nmap build system and packages,
making massive improvements along the way.  This Summer also
introduced David Fifield to the Nmap project and was the first SoC for
Kris Katterjohn.  Both of them have been prolific developers ever
since then.  Read the details at:
http://seclists.org/nmap-dev/2007/q4/0024.html

Enough with the history--let's take a look at our 2008 results!  I'm
happy to report that we had an 86% (6 out of 7) success rate.  In
other words, our success rate has increased every single year!  I like
to credit improved processes and interaction based on what we've
learned before, but it also helps that we invite the best students
back in later years.  We've never had a 2nd year (or more) student
fail.  This year we expanded to three mentors, all of whom (except for
me) were former SoC students.  Now let's look in detail at our 2008
SoC accomplishments:

Patrick Donnelly made substantial NSE infrastructure improvements.  He
added mutex support and an NSE Standard Library (stdnse), fixed some
serious bugs, and rewrote and optimized a substantial amount of code
(particularly the nse_init system).  But his crowning accomplishment
was the NSEDoc system, which uses special comments and variables in
script and library code to generate a comprehensive documentation
portal at http://nmap.org/nsedoc/ .

Kris Katterjohn, who already had hundreds of useful Nmap patches to
his name, returned for 2008 to write hundreds more!  There is no way I
can list everything he did here, particularly as his contributions
ranged all over the map from writing NSE libraries (such as the
username/password module unpwdb and the standardized communication
comm library) to improving Windows support (adding IPv6 and OpenSSL).
His biggest project has been finishing up Ncat, our advanced Netcat
replacement (which began as a 2005 SoC project by Chris Gibson).  Ncat
is now integrated with Nmap in our latest SVN revision.  Learn more
about this exciting new tool at http://nmap.org/ncat/ .

Vladimir Mitrovic spent the summer improving the Zenmap GUI, under
David Fifield's expert mentorship.  They made huge usability and
stability improvements, but the pinnacle of their summer achievement
was clearly the scan aggregation and topology features!  Scan
aggregation allows you to conduct multiple scans at different times
and add them seamlessly to your existing results.  Topology draws a
beautiful interactive diagram of the discovered network.  Learn more
about these features (and view the pretty pictures) at
http://nmap.org/book/zenmap-topology.html and
http://nmap.org/book/zenmap-scanning.html#aggregation.

Jurand Nogiec also worked with David on Zenmap, and was responsible
for many key UI improvements which now seem obvious in hindsight.  For
example, he added a cancel button for aborting a scan in progress
without clearing the Nmap output, and he added context-sensitive help
to the many dozens of options in the Profile Editor.  He also made
numerous improvements to the command entry field for people who like to
type Nmap command directly, while still benefiting from Zenmap's
visual and searchable presentation of results.

Michael Pattrick was David's third student, and he accomplished a wide
variety of tasks.  For example, he created a new OSAssist application
for testing and integrating the thousands of Nmap OS detection
submissions sent in by Nmap users all over the world.  With OSAssist,
integration is more accurate and much less tedious.  Michael also
built two prototypes (one in Perl and then another in C++) for an Ndiff
application which compares two or more scan output files and prints
out any changes.  The prototypes proved so popular that David wrote a
final version in Python which is now integrated with Nmap in our
latest SVN revision.

Philip Pickering spent the summer working on NSE scripts and
libraries.  We've already incorporated his libraries for binary data
manipulation (binlib), DNS queries, Base64 encoding, SNMP, POP3, and
cryptographic hashes.  We've also incorporated several scripts he
wrote utilizing these new libraries.

In addition to these core Nmap projects, 5 students were sponsored to
work on the UMIT Nmap GUI (now a separate project led by Adriano
Marques).  Four of their five students passed, as described at:
http://blog.umitproject.org/2008/08/google-summer-of-code-results.html

Please join me in congratulating all these students for their
excellent work!  I'm particularly pleased that many of the SoC
students have continued contributing even though the summer has ended.
I'm looking forward to GSoC 2009 (assuming it is held again and they
invite us), but 2008 will be a tough year to top!

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org