Re: NSEDoc @output for auth-spoof.nse

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 9 Apr 2010 04:44:40 +0000
Brandon Enright <bmenrigh () ucsd edu> wrote:

> I can probably dig up some fake ident spoofs.  I just had one last
> week.
>
>
> Brandon

Well here is the output as the script stands now:

PORT    STATE SERVICE REASON
113/tcp open  auth    syn-ack
|_auth-spoof: Spoofed reply: 0, 0 : USERID : UNIX : OGJdvM
|_banner: 0, 0 : USERID : UNIX : FWzVK
|_auth-owners: SbYvw


I have some some suggestions for this script though. Before I start
bashing Diman's script though, IIRC this was the first of second NSE
script ever written.  It wasn't meant to be a production/release script
but just a mock-up example of the types of script that could be written.

So here are my suggestions.

First, we should name this script "ident-spoof" rather than
"auth-spoof".  It is much more commonly referred to as ident now and
"auth-spoof" sounds like we are spoofing some sort of authorization.

Second, there are a heck of a lot of ways ident gets spoofed that are
easily detectable that this script misses.  This script just checks to
see if a banner comes back on port 113 before any data is sent.  Here
are the common ways I see ident being spoofed:

* An ident response comes unexpectedly (this script doesn't check if
  the response is ident, it just checks if ANY response came back).

* Often spoofed ident response comes back after any line sent, not just
  a valid one.  We could send "abc" and see if we get a valid ident
  response back.

* Often you don't have to ask about a real connection,  You can ask
  something like "123, 456" and get a properly formatted response back.

* Often the ports you request aren't the ports that are in the
  response.

* Often the response is a random name that changes from request to
  request (see my scan above).

* Often the ident server rate-limits to about 1 request every minute or
  so.  This usually causes the port to behave as though it was
  tcpwrapped by the time NSE is run (if -sV was run before NSE).  We
  should check to see if the port acts as thought it was tcpwrapped and
  warn of possible ident-spoofing rate-limiting.

Finally, we should clean up the script output a bit so it doesn't just
echo the banner.  Maybe something like:

|_auth-spoof: Immediately got spoofed reply for user: root

Or perhaps:

|_auth-spoof: Spoofing detected: Unrequested ident reply for user "root"


In terms of useful NSE programming tasks enhancing auth-spoof is
probably one of the easiest.  I'm willing to dust of my rusty NSE/Lua
skills but if somebody else wants to try their hand at a bit of NSE
this is a great place to start.  If somebody does do this, I'll happily
write fake ident daemons to implement the above spoofing tricks so they
can test their script.

Regards,

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAku/3oEACgkQqaGPzAsl94KptQCeNGx5G6ZmSExNisxyG49lLWRn
oSUAnjgyWNDFrCjWa6bBOca5Eh/zrViv
=APc2
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/