Nmap Development mailing list archives
Re: Uniquely identifying an Nmap install from NSE?
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 7 Aug 2009 22:19:33 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 07 Aug 2009 16:41:25 -0500 Ron <ron () skullsecurity net> wrote:
Hi all, I had a conversation with Ed Skoudis at Defcon, and he had a comment on some of my SMB scripts: one of his primary uses for these scripts is teaching, so he can have up to 40 people using the same scripts against the same target, and that won't work well with psexec-style scripts. Up till now, I've written the scripts from the perspective of how I'd use them: one person at a time. That doesn't work as well in the real world. The issue is, some scripts (like smb-pwdump.nse) create a service on the remote host. I always use the same name for this service, since that makes it possible to clean up later if something fails. But, this creates a race condition where if two people run the same script, it'll fail for one or both of them. So, the two obvious choices are: 1. Leave it the way it is, and accept that it's going to have a race condition 2. Randomize the name, making it difficult to clean up Neither option is really good, so I'm looking at a third option: having some way to uniquely identify an Nmap install so it can use the same random service name every time it runs, without stepping on toes. The first two things that come to mind are a) using the local IP address, and b) using the local MAC address. Neither are perfect solutions, but they're pretty clean options. The biggest downside is, even if I use a hash of the local address, it would be pretty trivial to crack it and determine who created the service, so the attacker loses a big chunk of privacy. Anybody else have any ideas? Thanks
What about stealing one from the conficker playbook and use the current week as a source of entropy. Something like svcname = hash(localip + localmac + remoteip + week) Still not much entropy but certainly raising the bar above just MAC. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkp8qHsACgkQqaGPzAsl94J6igCfRx/kbwhZJNLD/VQV8thh9jG5 dkcAmgOwNnlUcGbLsa9oeRSTwYym8NTU =57QZ -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Uniquely identifying an Nmap install from NSE? Ron (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? jah (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? Ron (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? David Fifield (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? Ron (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? Brandon Enright (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? Ron (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? Brandon Enright (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? Ron (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? Brandon Enright (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? Ron (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? Ben Rosenberg (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? Ron (Aug 07)
- Re: Uniquely identifying an Nmap install from NSE? jah (Aug 07)