Re: NMAP NSE script for iSCSI enumeration

[Michel Chamberland <merc () securitywire com>]

Thanks for the feedback Fyodor. Unfortunately there is no protocol
decoder in wireshark for iSCSI but I can go by the RFC to breakdown the
payload. I will definitely clean up the packet construction with useful
comments. It may even be useful to have optional parameters to the
script to insert in the payload. I will also get rid of the table which
I did borrow from sslv2.nse.



On Sat, 2009-10-10 at 16:48 -0700, Fyodor wrote:
> On Sat, Oct 10, 2009 at 01:54:10PM -0400, Michel Chamberland wrote:
> > I wrote a nmap nse script to enumerate iSCSI targets. I would be
> > interested to get feedback on it.
> >
> > The script can be found here:
> >
> > http://blog.securitywire.com/2009/10/10/nmap-nse-script-to-enumerate-iscsi-targets/
> >
> > I have very limited access to iSCSI targets so I'd be really interested
> > to hear how it works out across a variety of targets.
>
> Thanks Michael!  I hope people try it out and send feedback, as this
> sounds like a useful script for integration into Nmap.  Please send us
> (nmap-dev) another mail when you feel it is ready for that.
>
> Unfortunately I don't have any iSCSI devices to test, and I only have
> time for a quick glance at the script right now.  One thing that
> stands out is that most of the lines in the script are of this form:
>
>   table.insert(t1, string.char(0x6c, 0x6d, 0x00, 0x53, 0x65, 0x73, 0x73, 0x69)); 
>   table.insert(t1, string.char(0x6f, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x3d, 0x44)); 
>   table.insert(t1, string.char(0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79)); 
>   table.insert(t1, string.char(0x00, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x44)); 
>   table.insert(t1, string.char(0x69, 0x67, 0x65, 0x73, 0x74, 0x3d, 0x4e, 0x6f)); 
>   table.insert(t1, string.char(0x6e, 0x65, 0x00, 0x44, 0x61, 0x74, 0x61, 0x44)); 
>   table.insert(t1, string.char(0x69, 0x67, 0x65, 0x73, 0x74, 0x3d, 0x4e, 0x6f)); 
>
> That raises two issues:
>
> 1) It would be great to comment these hex dumps to explain more about
>    what they are doing.  It is a lot harder to
>    maintain/improve/understand scripts when we don't understand what
>    the requests are doing.  Also, how did you generate them?  If you
>    aren't so familiar with the protocol yourself, one thing which can
>    help is running Wireshark while you make the requests.  That often
>    explains the various fields and types which can then be added as
>    comments to the script.
>
> 2) I'm not sure that this approach of table.insert followed by a
>    .concat into a string is an efficient or desirable way to fill out
>    the request payload.  You might have gotten this approach from
>    sslv2.nse, but that is an ancient script and I'm not sure that it
>    serves as a good example in this respect.  Perhaps the approach
>    shown in this dns-random-srcport.nse snippet is better:
>
>    local query =   string.char(0xbe, 0xef, -- TXID
>                                0x01, 0x00, -- Flags
>                                0x00, 0x01, -- Questions
>                                0x00, 0x00, -- Answer RRs
>                                0x00, 0x00, -- Authority RRs
>                                0x00, 0x00, -- Additional RRs
>                                0x08) .. "porttest" ..
>                    string.char(0x08) .. "dns-oarc" ..
>                    string.char(0x03) .. "net" ..
>                    string.char(0x00, -- Name terminator
>                                0x00, 0x10, -- Type (TXT)
>                                0x00, 0x01) -- Class (IN)
>
> Another option is bin.pack (http://nmap.org/nsedoc/lib/bin.html).
>
> > I have about 2 hours of experience with lua too so I'm sure it shows
> > :)
>
> It looks like a good first script to me!
>
> Cheers,
> Fyodor


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org