Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...)

[David Fifield <david () bamsoftware com>]

On Tue, Feb 16, 2010 at 11:31:34AM -0600, Kris Katterjohn wrote:
> On 02/11/2010 04:53 PM, Kris Katterjohn wrote:
> > Alright, I like to think my branch is essentially complete.  So here
> > we go:
> >
> > * ip_open(), ip_send() and ip_close() methods for sending packets
> > starting with an IPv4 header
> >
> > * Works with arbitrary (non-Target) hosts using various routing
> > functions and sends over raw socket or ethernet if preferred and is
> > available
> >
> > * Fallback: if ethernet is preferred but no (ethernet) route can be
> > found, the raw socket is used instead.  If an ethernet route is
> > found but an error occurs then we pass an error to the script.
> > Keeping in mind your suggestion, I feel this is similar to how eth
> > vs raw decisions are made elsewhere, even though those parts use
> > Target information while this is done itself.
> >
> > * Errors are passed to the script for use with try() exception
> > handling
> >
> > * Tested on Linux and Windows; kx also verified on Windows earlier
> >
> > * Docs added to scripting.xml (similar to ethernet_* methods' docs)
> >
> > * IP ID sequence script with optional probeport arg; recently done
> > up with NSEDoc (although my NSEDoc-fu is weak as I don't recall ever
> > using it)
>
> On 02/12/2010 07:37 PM, Kris Katterjohn wrote:
> > OK, I have one more thing to add to the list: nmap.is_privileged().  This
> > gives the script the boolean value of o.isr00t.  This makes it easy to tell,
> > for instance, in ipidseq's hostrule if the raw socket open will fail instead
> > of having to try in action and return an error if not.
>
> Has anybody tested this branch and run into any problems?
>
> Checking out the branch, building Nmap and running the IP ID script on a host
> is all it takes for a basic run through.  Under most OS's, using with and
> without --send-eth tests the sending of ethernet frames (or not), or the
> fallback functionality for using a raw socket for going over, say, a
> point-to-point link even if you specify --send-eth.
>
> As previously mentioned: I've tested on Linux and Windows, kx tested on
> Windows (and Linux in VM I believe) using earlier revisions (not newer ones?),
> and Patrick said it looked good.  So: if there are no objections or problems,
> I'd like to merge over to trunk this week (before the weekend).  If Fyodor or
> David wants to give me the go-ahead before then, then cool ;)

I tested out the branch and the script, and it looks good when run along
with OS detection.

IP ID Sequence Generation: Randomized
Host script results:
|_ipidseq: Randomized [used port 22]

I like the overall look and interface of the new functions.

About Windows support: Have you (or anyone) tested raw sending to a
non-Target? How are you testing this generally? If you have even just a
short script snippet, that is fine.

I was thinking that the code should check for the option
PACKET_SEND_ETH_STRONG and refuse to fall back to a raw socket in the
case, but I can't find anywhere else where that is enforced.

In the C-Lua functions, I recommend including the strerror and perhaps
errno in error strings.

In the scripting.xml documentation, I think that the raw IP sending
should be given primary coverage, with Ethernet sending mentioned at the
end as an alternative for special situations (the opposite precedence
that is there now). What do you think, and would you make that change if
you agree?

The nmap.is_privileged function I have no objection to. All the above is
fine with me. One thing deserves some further design discussion, which
is the nmap.get_ports function. I think it would be better to wrap
PortList::nextPort more directly, giving scripts one-at-a-time access to
port tables (and avoiding creating a potentially large table of tables,
most of which won't be used by many scripts). A script that needs the
full port list can easily create it by doing just what your C function
does, looping with nextPort. Scripts like ipidseq.nse that need just any
old port wouldn't need to allocate as much memory.

I think the ipidseq script is a great idea. I know it's something I've
wanted before.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/