Nmap Development mailing list archives

Re: Bug in NSE core, I think

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 26 Aug 2009 00:52:30 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 25 Aug 2009 19:47:06 -0500
Ron <ron () skullsecurity net> wrote:

On 08/25/2009 07:40 PM, Patrick Donnelly wrote:

Right now NSE uses a table of<ip, Target * (light userdata)>  pairs
for all the hosts. When we get passed a host table we look in that
table using the host table ip address (host.ip) for the actual
Target *. Problem is, we have the same ip address for all those
hosts so only one entry will be present. Also, the scripts actually
did run, correctly, against each host but the script output was
added to one host (for the aforementioned reason).

Is this worth fixing?


I haven't tracked down exactly what's going on, but it appears to
cause a bug in one of my scripts. I believe it steps from a local
variable getting whacked, because it's ending up wrong by the end of
my script.

That's how I originally noticed this behaviour.

Ron


Ron,

I think this mostly stems from Nmap not bothering to check for
duplicates in the target list, not even duplicate IPs.  We shouldn't
fix NSE if we aren't going to fix the general scanning.

Take for example:

$ sudo nmap -v -d --top-ports 100 -T5 --open 127.0.0.1 127.0.0.1

Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-26 00:50 UTC
PORTS: Using top 100 ports found open (TCP:100, UDP:0, SCTP:0)
- --------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 250, min 50, max 300
  max-scan-delay: TCP 5, UDP 1000, SCTP 5
  parallelism: min 0, max 0
  max-retries: 2, host-timeout: 900000
  min-rate: 0, max-rate: 0
- ---------------------------------------------
NSE: Loaded 0 scripts for scanning.
mass_rdns: Using DNS server 132.239.0.252
mass_rdns: Using DNS server 132.239.1.52
mass_rdns: Using DNS server 128.54.16.2
Initiating SYN Stealth Scan at 00:50
Scanning 2 hosts [100 ports/host]
Packet capture filter (device lo): dst host 127.0.0.1 and (icmp or ((tcp or udp or sctp) and (src host 127.0.0.1 or src 
host 127.0.0.1)))
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 443/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Completed SYN Stealth Scan against 127.0.0.1 in 0.02s (1 host left)
Increased max_successful_tryno for 127.0.0.1 to 1 (packet drop)
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 443/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Completed SYN Stealth Scan at 00:50, 1.06s elapsed (200 total ports)
Overall sending rates: 198.21 packets / s, 8721.36 bytes / s.
Host localhost (127.0.0.1) is up, received localhost-response (0.000016s latency).
Scanned at 2009-08-26 00:50:58 UTC for 0s
Interesting ports on localhost (127.0.0.1):
Not shown: 96 closed ports
Reason: 96 resets
PORT    STATE SERVICE REASON
25/tcp  open  smtp    syn-ack
80/tcp  open  http    syn-ack
443/tcp open  https   syn-ack
631/tcp open  ipp     syn-ack
Final times for host: srtt: 16 rttvar: 0  to: 50000

Host localhost (127.0.0.1) is up, received localhost-response (0.000016s latency).
Scanned at 2009-08-26 00:50:58 UTC for 1s
Interesting ports on localhost (127.0.0.1):
Not shown: 96 closed ports
Reason: 96 resets
PORT    STATE SERVICE REASON
25/tcp  open  smtp    syn-ack
80/tcp  open  http    syn-ack
443/tcp open  https   syn-ack
631/tcp open  ipp     syn-ack
Final times for host: srtt: 16 rttvar: 0  to: 50000

Read from /usr/share/nmap: nmap-services.
Nmap done: 2 IP addresses (2 hosts up) scanned in 1.13 seconds
           Raw packets sent: 210 (9240B) | Rcvd: 429 (18.036KB)



Note 210 packets were sent, not the expected ~100.

Brandon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkqUh04ACgkQqaGPzAsl94Ln9ACggHotv0ZKDW0k7FtWlwRMRF0l
MG8An3JO9E5vA8nUXiNhhBNwkGsLmL3T
=wchV
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Bug in NSE core, I think Ron (Aug 25)
- Re: Bug in NSE core, I think Patrick Donnelly (Aug 25)
  - Re: Bug in NSE core, I think Ron (Aug 25)
    - Re: Bug in NSE core, I think Brandon Enright (Aug 25)
    - Re: Bug in NSE core, I think Ron (Aug 25)
    - Re: Bug in NSE core, I think Ron (Aug 25)
    - Re: Bug in NSE core, I think Ron (Aug 25)
    - Re: Bug in NSE core, I think Patrick Donnelly (Aug 26)
    - Re: Bug in NSE core, I think Patrick Donnelly (Aug 26)
    - Re: Bug in NSE core, I think Ron (Aug 27)
    - Re: Bug in NSE core, I think Patrick Donnelly (Aug 27)
    - Re: Bug in NSE core, I think Ron (Aug 27)
    - Re: Bug in NSE core, I think Patrick Donnelly (Aug 27)