Re: Raw IP NSE Functionality

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/23/2010 01:39 PM, Patrick Donnelly wrote:
> Ok this patch wasn't quite right. I've attached a new one but I'm
> getting some strange C++ segfault I can't figure out. I'm not going to
> devote any more time to this since Kris has a viable patch already
> committed.

Ah, yes, sorry about not mentioning this before you posted.  I wanted to put
it in there before I got busy today (i.e. right after I committed).  I didn't
mention it yet because I ended up finding a bug and wanted to investigate first.

I don't know if my script is somehow wrong, if it's a bug in the pcap reading,
or something entirely different. Using ipidseq on multiple hosts at the same
time (hostgroup) somehow gives my script a packet with the same ipid as (what
appears to be) the first packet read from the first host read from in the
group.  It's only the first one, the others are ipids from the real host.
This sounds horribly confusing after I read it, so here's something better
than my explanation (stripped Nmap output with some debugging in script):

NSE: Starting ipidseq against 192.168.10.4.
NSE: Starting ipidseq against 192.168.10.3.
got ipid 49992 from 192.168.10.4:21
got ipid 49992 from 192.168.10.3:80
got ipid 49994 from 192.168.10.3:80
got ipid 38558 from 192.168.10.4:21
got ipid 49996 from 192.168.10.3:80
got ipid 38559 from 192.168.10.4:21
got ipid 49998 from 192.168.10.3:80
got ipid 38560 from 192.168.10.4:21
got ipid 50000 from 192.168.10.3:80
got ipid 38561 from 192.168.10.4:21
got ipid 50002 from 192.168.10.3:80
ipid #1 = 49992
ipid #2 = 49994
ipid #3 = 49996
ipid #4 = 49998
ipid #5 = 50000
ipid #6 = 50002
NSE: Finished ipidseq against 192.168.10.3.
got ipid 38562 from 192.168.10.4:21
ipid #1 = 49992
ipid #2 = 38558
ipid #3 = 38559
ipid #4 = 38560
ipid #5 = 38561
ipid #6 = 38562
NSE: Finished ipidseq against 192.168.10.4.

Nmap scan report for 192.168.10.3
Host script results:
|_ipidseq: Incremental! [used port 80]

Nmap scan report for 192.168.10.4
Host script results:
|_ipidseq: Randomized [used port 21]


Notice the same "ipid #1" lines for the hosts.

Since I couldn't investigate further, this is only a starting point.  The
address/port combo in the output is from what the script expects it to be
(host and port tables; to differentiate output for me), not from the packet
itself.  However, the pcap filter should be more than adequate in stopping
this, so something is wrong.  Notice the Randomized report for 192.168.10.4
because of that one when it's really Incremental.

It seems to happen every time.  I'll try to investigate more when I can,
hopefully soon.

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJLhEHgAAoJEEQxgFs5kUfubRsQALG7/qAuMg6kM6uSrYYlog8G
VcRAdOqhOQKWm6kfPK+1keR6ynNrfP1shk30aW7N09YuE0clHelT8xObIgVbGXXq
StS4JI696oADKEKqGz24pE0vHvSdKUcH2tmQkVxsNri04gTNb7EcQ5SRYtnDGImH
qRDpMg9sV6gAybGDj++9dKXCy6nxlXj5buAX1POqEZfzzx21sDhP5BKeHAoAQ7aB
JZ29em7ZUazxXcBn0xw7+kl0qMew4XOq98ZpgqwKntlUpQfeVByzIQ1Ur/pc0GH7
rX7tcX6wvOg3ReAw3nRa5TA1DbkiQ6Vmx8rQu8ghM5f/yM8549ufjM1iUOx+ELdU
NR7AnmHe98a1Xuj1Thg4p8O8m3jQNZraR56Hr+Lb/s3VDyrTmkuqasJNW6bbK5bM
h+hUPDBzci/k/SwB0FORg/dDcGiBccJd1zjwPzcTKV2yod9dsDt+fd6ZXwEuRn2z
pGneY448rmLbyuS7lUzxn3LaWDjXjs3TCY84KKB+vrw8+Idwc7kEWsKDWx+/pk0F
dspz6z2NM/as9Lhz1zM/mOBEizfqNgu8vHNBn7MardsXjS4bJ+cquTvg0asRjk9h
I868E9U5idgARflCFKrw7EtnmqQgj0HhCNQgLXEMx+cFWM+OmylG5PLvTcrJjVgp
/mhxS35qNh6t6TCzBlQs
=7pZf
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/