Re: Contributing to Nmap development

[David Fifield <david () bamsoftware com>]

On Thu, Sep 17, 2009 at 03:18:26PM +0530, Ravipriya Thushara wrote:
>        I'm a undergraduate student from University of Moratuwa, Sri Lanka.
> Im studying in my 3rd academic year (I'm studying a 4 year degree program on
> Computer Science and Engineering). In this academic year I have to join to
> an open source project and contribute to it for 12 weeks. I can choose any
> open source project based on my interest. My instructors will evaluate my
> work at the end.
>        I'm interested lot in computer and network security and I'm hoping to
> do my project related on that. So I think Nmap is a great place to join and
> work with. But I want some help from you to understand the current
> development status of Nmap and what you are expecting to do.
>          I have considerable amount of knowledge on Computer security and
> Networking. Also I'm CCNA certified recently. I have being using Nmap for
> about 6 months. I'm experienced in C/C++ programming too. So please  send me
> some help me with some starting points to start with.

I recommend that you look in the online TODO and try working on
something that looks interesting. A lot of the items are long-term or
are already being worked on, so here are some I recommend:

o [NSE] Add DNS based service discovery script.  See
  http://seclists.org/nmap-dev/2009/q3/0786.html for more of this idea
  from David.

o [NSE] Support routing http requests through proxies.

o [NSE] Security Review
 o Consider what, if any, vulnerabilities or security risks NSE has
   with respect to buffer overflows, format string bugs, any other
   maliciously formatted responses from target systems, etc.  Maybe
   address the known risk of malicious scripts too.
 o Consider that NSE runs scripts as root

o Zenmap should perhaps be able to print Nmap output (if not too much
  of a pain to implement.)

o Zenmap script selection interface for deciding which NSE scripts to
  run.

Unfortunately the beginner tasks are mostly not C and C++ tasks, but it
is not hard to learn the skills you need to do them. Here are two more
from my own TODO list for Ncat, which is written in C.

o See if we can make Ncat drop privileges on startup.

o SSL connections to an Ncat server hang while certificate verification
  occurs; you can block other connections by waiting at the certificate
  description in your browser.

Once you've chosen something to do you will write a patch and send it to
this same list. When you have specific questions you should also write
to this list. When you've decided what you want to do we can show you
the proper documentation and the source files you will need to be
familiar with.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org