Nmap Development mailing list archives

Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...)

From: Kurt <kurt.campbell () gmail com>
Date: Wed, 17 Feb 2010 21:50:28 -0500

Sorry for the triple post, but to test, I just commented out setting
the host ip in generic pkt, and hard coded in whatever I wanted to
test different than the target host.

If someone else wants to play, it would probably be easiest to do the
same with Kris's script.

Cheers,
  kx

On Wed, Feb 17, 2010 at 9:47 PM, kx <kxmail () gmail com> wrote:

Misclicked send:

The rest of the snippet was:

action = function(host)
       math.randomseed( os.time() )
       local sock = nmap.new_dnet()
       local port = nmap.registry[host.ip]['junk']
       local tcp = genericpkt(host, port, 1500)

       sock:ip_open()

       sock:ip_send(tcp.buf)
       sock:ip_close()

And I reused Kris's getport, setreg, and hostrule as I only needed a
single open port as well for the script I am playing with.

I am not even capturing responses yet, just looking at them in Wireshark.

Sorry if this doesn't help much. I never got my VMs up and running,
but if I get time, that will give me other interfaces and routes to
play with.

Cheers,
 kx


On Wed, Feb 17, 2010 at 9:37 PM, kx <kxmail () gmail com> wrote:

About Windows support: Have you (or anyone) tested raw sending to a
non-Target? How are you testing this generally? If you have even just a
short script snippet, that is fine.


I have a script I have been toying with for this, and just tested it.

Windows XP SP3 on a wireless LAN. Sadly only one route right now.

nmap -sS -p 80 --script=junk.nse google.com

For testing, I sent a custom TCP SYN to port 80 on 192.168.1.1

It worked fine, but the only issue is the route/interface to
192.168.1.1 is the same as the route/interface to the target host
(google.com).

As for how I have been testing for packet sending, I am using the same
code as Kris (please ignore my ugly modifications, I haven't
generalize the payload code - thus the A fill right now).

-- I mooched off of Marek's RR script for some of the following functions
-- (I split them into separate functions and redid them a bit).
checksum = function(tcp)
       tcp:tcp_count_checksum(tcp.ip_len)
       tcp:ip_count_checksum()
end

newtcpseq = function(tcp)
       tcp:tcp_set_seq(math.random(1, 0x7fffffff))
end

newtcpsport = function(tcp)
       tcp:tcp_set_sport(math.random(0x401, 0xffff))
end

genericpkt = function(host, port, totlen)
       local pkt = bin.pack("H",
               "4500" .. -- IPv4, len 5, dif serv 00
               "0000" .. -- total len
               "abcd" .. -- ip id
               "4000" .. -- DF set
               "8006" .. -- TTL 128, proto TCP
               "0000" .. -- checksum
               "0000 0000" .. -- src ip
               "0000 0000" .. -- dst ip
               "0000" .. -- tcp src port
               "0000" .. -- tcp dst port
               "0000 0000" .. -- seq #
               "0000 0000" .. -- ack #
               "5002" .. -- hdr len 20, SYN
               "0c00" .. -- win size 3072
               "0000" .. -- tcp checksum
               "0000" -- urg pointer
       )
       pkt = pkt .. string.rep("A", (totlen - 40))
       local tcp = packet.Packet:new(pkt, pkt:len())

       tcp:ip_set_len(totlen)
       tcp:ip_set_bin_src(host.bin_ip_src)
       tcp:ip_set_bin_dst(host.bin_ip)
       tcp:tcp_set_dport(port)

       newtcpsport(tcp)
       newtcpseq(tcp)

       checksum(tcp)

       return tcp
end

Then down in the main:

action = function(host)
       math.randomseed( os.time() )
local sock = nmap.new_dnet()

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] Raw ethernet frame questions and NSE library questions, (continued)
- - - Re: [NSE] Raw ethernet frame questions and NSE library questions Kris Katterjohn (Feb 05)
    - Re: [NSE] Raw ethernet frame questions and NSE library questions Fyodor (Feb 08)
    - Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 11)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Patrick Donnelly (Feb 11)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 11)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 12)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 16)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) David Fifield (Feb 17)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) kx (Feb 17)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) kx (Feb 17)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kurt (Feb 17)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) David Fifield (Feb 18)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 17)
    - error compiling 5.21 Mike Calmus (Feb 20)
    - Re: error compiling 5.21 David Fifield (Feb 22)
    - Re: error compiling 5.21 Mike Calmus (Feb 23)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Patrick Donnelly (Feb 17)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 17)
    - Re: Raw IP NSE Functionality David Fifield (Feb 23)
    - Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)
    - Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)

(Thread continues...)