Nmap Development mailing list archives
New syntax for Ncat --allow and --deny
From: David Fifield <david () bamsoftware com>
Date: Fri, 20 Feb 2009 21:13:23 -0700
On Thu, Feb 19, 2009 at 11:57:38AM -0700, David Fifield wrote:
I am working on this TODO item: o Ncat --allow/--deny bug: "--allow and --deny only support host specification by IP address, and give no warning when you use another form such as a host name." Should probably use same syntax as --exclude. We also want to at least do verification at the beginning to make sure all the entries are legitimately formed. We probably want to do things like DNS resolution at the beginning too. Otherwise we might have a DNS failure when we actually get a connection and perhaps have to reject the connection wrongly, or risk a false negative. This is a fairly serious problem in my opinion. The way Ncat's allow/deny handling works now is that it loads the specifications into a list, as strings with no interpretation. When a new connection comes in, the address is converted to a string and compared textually with the entries in the list, following a few simple patterns (http://nmap.org/ncat/guide/ncat-access.html). If you use an unsupported pattern, you get no warning, and that pattern will never match any address. This has security implications if you say "--deny hostname" expecting it to work, or make a typo like "--deny 192.168.00".
I finished the enhancements and merged them back in r12237. The new documentation is at http://nmap.org/ncat/guide/ncat-access.html. There's not much new there because the new syntax is deliberately similar to Nmap's target specification. The only big difference is support for CIDR netmasks with IPv6 addresses. Ncat's parser is a reimplementation of the parser in Nmap's TargetGroup.cc. Believe me, I felt bad about that. I decided that reimplementing it was the right thing for a few reasons. First, Ncat is a pure C program with no dependencies on any (C++) Nmap files. Linking with TargetGroup.o would change that. Second, I wanted support for IPv6 netmasks. Third, I had a neat idea for representing IPv4 ranges as bit vectors. There are tests for the new code in the file ncat/tests/test-addrset.sh. I encourage you to run it. If you get anything other than a screen full of "PASS", it's a bug and you should report it. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Weird target specifications David Fifield (Feb 19)
- Re: Weird target specifications Fyodor (Feb 19)
- Re: Weird target specifications David Fifield (Feb 19)
- Re: Weird target specifications David Fifield (Feb 20)
- Re: Weird target specifications Fyodor (Feb 20)
- Re: Weird target specifications David Fifield (Feb 23)
- Re: Weird target specifications David Fifield (Feb 19)
- Re: Weird target specifications Fyodor (Feb 19)
- Re: New syntax for Ncat --allow and --deny Fyodor (Feb 20)
- Re: New syntax for Ncat --allow and --deny David Fifield (Feb 21)