Nmap Development mailing list archives
Re: Always practice safe software: a lesson from UnrealIRCd
From: David Fifield <david () bamsoftware com>
Date: Fri, 18 Jun 2010 14:09:21 -0600
On Mon, Jun 14, 2010 at 03:51:03PM -0500, Ron wrote:
On Mon, 14 Jun 2010 22:34:57 +0200 Vlatko Kosturjak <kost () linux hr> wrote:Just checked this approach. Script prints warning message which says just to run with -sS same scan. This would not solve: - if unrealircd is listening on multiple ports (SSL-based or not) - if -sV is used (this should be recommended to turn off too for this approach) - if another scripts are used during scanning (i.e. script=all) which are irc based (like irc-info.nse), they will also connect/reconnect There are just too much recommendations to put in order to check to be reliable, that's why I introduced irc-unrealircd-backdoor.wait argument which you can pass sleep time. So, recommendations is pretty simple: try to set irc-unrealircd-backdoor.wait to 100 (or higher) if block is detected. New version of the script is in the attachment. Hopefully - final! :) KostYou make good points about how they can fail. The 'wait' sounds good, but it's still really ugly. If anybody else has better ideas, I'd like to hear it. If not, let's go with what you did.
Hey guys, this script looks really good. However I found it gives a lot of false positives when many instances of the script are run, because the timer is started before the socket is connected, and the script may block waiting for the socket. I ran against the 592 addresses from http://seclists.org/nmap-dev/2010/q2/830. nmap --datadir . -p 6666,6667 -iL unreal.nmap -d --script=irc-unrealircd-backdoor.nse It's clear what's happening in the output: NSE: irc-unrealircd-backdoor: Received a response to our command in 2 seconds NSE: irc-unrealircd-backdoor: The Trojanned version of unrealircd probably isn't ... NSE: irc-unrealircd-backdoor: Received a response to our command in 37 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 213.232.94.72:6667. NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 213.186.37.193:6667. NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 89.105.117.89:6667. NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 12.96.164.10:6667. NSE: irc-unrealircd-backdoor: Receive failed: TIMEOUT ... NSE: irc-unrealircd-backdoor: Received a response to our command in 222 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 171.25.159.12:6666. I think it will work if you start the timer after the call to comm.tryssl, not before. I also saw this error at least three times: NSE: irc-unrealircd-backdoor against 209.126.180.156:6666 threw an error! ./scripts/irc-unrealircd-backdoor.nse:105: attempt to concatenate local 'response' (a nil value) stack traceback: ./scripts/irc-unrealircd-backdoor.nse:105: in function <./scripts/irc-unrealircd-backdoor.nse:55> (tail call): ? Other addresses where it happened were 66.235.194.60:6667 and 118.98.162.85:6667. If you can run this same test and make it work, then please go ahead and commit the script. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Always practice safe software: a lesson from UnrealIRCd, (continued)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Fyodor (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Gutek (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 18)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 24)
- Re: Always practice safe software: a lesson from UnrealIRCd Patrick Donnelly (Jun 24)