Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Always practice safe software: a lesson from UnrealIRCd

From: David Fifield <david () bamsoftware com>
Date: Fri, 18 Jun 2010 14:09:21 -0600
On Mon, Jun 14, 2010 at 03:51:03PM -0500, Ron wrote:

On Mon, 14 Jun 2010 22:34:57 +0200 Vlatko Kosturjak <kost () linux hr>
wrote:

Just checked this approach. Script prints warning message which says
just to run with -sS same scan. This would not solve:
- if unrealircd is listening on multiple ports (SSL-based or not)
- if -sV is used (this should be recommended to turn off too for this
approach)
- if another scripts are used during scanning (i.e. script=all) which
are irc based (like irc-info.nse), they will also connect/reconnect

There are just too much recommendations to put in order to check to be
reliable, that's why I introduced irc-unrealircd-backdoor.wait
argument which you can pass sleep time. So, recommendations is pretty
simple: try to set irc-unrealircd-backdoor.wait to 100 (or higher) if
block is detected.

New version of the script is in the attachment. Hopefully - final! :)

Kost

You make good points about how they can fail. 

The 'wait' sounds good, but it's still really ugly. If anybody else has better ideas, I'd like to hear it. If not, 
let's go with what you did. 


Hey guys, this script looks really good. However I found it gives a lot
of false positives when many instances of the script are run, because
the timer is started before the socket is connected, and the script may
block waiting for the socket. I ran against the 592 addresses from
http://seclists.org/nmap-dev/2010/q2/830.

nmap --datadir . -p 6666,6667 -iL unreal.nmap -d --script=irc-unrealircd-backdoor.nse

It's clear what's happening in the output:

NSE: irc-unrealircd-backdoor: Received a response to our command in 2 seconds
NSE: irc-unrealircd-backdoor: The Trojanned version of unrealircd probably isn't
...
NSE: irc-unrealircd-backdoor: Received a response to our command in 37 seconds
NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running!
NSE: Finished irc-unrealircd-backdoor against 213.232.94.72:6667.
NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds
NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running!
NSE: Finished irc-unrealircd-backdoor against 213.186.37.193:6667.
NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds
NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running!
NSE: Finished irc-unrealircd-backdoor against 89.105.117.89:6667.
NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds
NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running!
NSE: Finished irc-unrealircd-backdoor against 12.96.164.10:6667.
NSE: irc-unrealircd-backdoor: Receive failed: TIMEOUT
...
NSE: irc-unrealircd-backdoor: Received a response to our command in 222 seconds
NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running!
NSE: Finished irc-unrealircd-backdoor against 171.25.159.12:6666.

I think it will work if you start the timer after the call to
comm.tryssl, not before.

I also saw this error at least three times:

NSE: irc-unrealircd-backdoor against 209.126.180.156:6666 threw an error!
./scripts/irc-unrealircd-backdoor.nse:105: attempt to concatenate local 'response' (a nil value)
stack traceback:
        ./scripts/irc-unrealircd-backdoor.nse:105: in function <./scripts/irc-unrealircd-backdoor.nse:55>
        (tail call): ?

Other addresses where it happened were 66.235.194.60:6667 and
118.98.162.85:6667.

If you can run this same test and make it work, then please go ahead and
commit the script.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: