Nmap Development mailing list archives

New syntax for Ncat --allow and --deny

From: David Fifield <david () bamsoftware com>
Date: Fri, 20 Feb 2009 21:13:23 -0700

On Thu, Feb 19, 2009 at 11:57:38AM -0700, David Fifield wrote:

I am working on this TODO item:

o Ncat --allow/--deny bug: "--allow and --deny only support host
  specification by IP address, and give no warning when you use
  another form such as a host name." Should probably use same syntax
  as --exclude. We also want to at least do verification at the
  beginning to make sure all the entries are legitimately formed.  We
  probably want to do things like DNS resolution at the beginning
  too. Otherwise we might have a DNS failure when we actually get a
  connection and perhaps have to reject the connection wrongly, or
  risk a false negative.

This is a fairly serious problem in my opinion. The way Ncat's
allow/deny handling works now is that it loads the specifications into a
list, as strings with no interpretation. When a new connection comes in,
the address is converted to a string and compared textually with the
entries in the list, following a few simple patterns
(http://nmap.org/ncat/guide/ncat-access.html). If you use an unsupported
pattern, you get no warning, and that pattern will never match any
address. This has security implications if you say "--deny hostname"
expecting it to work, or make a typo like "--deny 192.168.00".


I finished the enhancements and merged them back in r12237. The new
documentation is at http://nmap.org/ncat/guide/ncat-access.html. There's
not much new there because the new syntax is deliberately similar to
Nmap's target specification. The only big difference is support for
CIDR netmasks with IPv6 addresses.

Ncat's parser is a reimplementation of the parser in Nmap's
TargetGroup.cc. Believe me, I felt bad about that. I decided that
reimplementing it was the right thing for a few reasons. First, Ncat is
a pure C program with no dependencies on any (C++) Nmap files. Linking
with TargetGroup.o would change that. Second, I wanted support for IPv6
netmasks. Third, I had a neat idea for representing IPv4 ranges as bit
vectors.

There are tests for the new code in the file ncat/tests/test-addrset.sh.
I encourage you to run it. If you get anything other than a screen full
of "PASS", it's a bug and you should report it.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Weird target specifications David Fifield (Feb 19)
- Re: Weird target specifications Fyodor (Feb 19)
  - Re: Weird target specifications David Fifield (Feb 19)
    - Re: Weird target specifications David Fifield (Feb 20)
    - Re: Weird target specifications Fyodor (Feb 20)
    - Re: Weird target specifications David Fifield (Feb 23)
- New syntax for Ncat --allow and --deny David Fifield (Feb 20)
  - Re: New syntax for Ncat --allow and --deny Fyodor (Feb 20)
    - Re: New syntax for Ncat --allow and --deny David Fifield (Feb 21)