Re: NSE: RMI Dumpregistry

[David Fifield <david () bamsoftware com>]

On Tue, Nov 02, 2010 at 03:42:24PM +0100, Martin Holst Swende wrote:
> On 11/01/2010 09:52 PM, David Fifield wrote:
> > Sorry again for the delay. I added the library and script using the
> > files from your branch.
>
> No problem about the delays, I know you have a lot++ things to deal
> with, and that rmi-stuff was pretty large. Is it committed already? I am
> going to perform some changes and decrease the default verbosity, but
> that should be pretty minimal changes and easy to review. 

Just tell me when you've updated your branch and I'll pull in the
changes.

> Also, regarding rmi - I mentioned earlier that rmi seems go undetected
> pretty often; here's the reason:
> * The RMI registry usually sits on a few ports, e.g 1099 and 1098.
> * RMI objects,(which are typically found when querying the registry) are
> located on pretty random ports, whatever the runtime chooses. That's why
> the registry is needed, so other apps can lookup where they are (the
> dumpregistry-script lists the host and port for each object)
>
> Therefore, the currently defined ports in the service fingerprints
> definition do a pretty good job at finding rmi registrys, but usually
> misses to fingerprint other rmi services (remote objects). So, I would
> suggest sending the rmi-probe more often. But I have no hard data to
> about how common this is.

You said you tested this script on the Internet. Do you still have the
logs? If so, send a table of the ports listed by rmiregistry, sorted by
number of occurrences. That way we can see if the ports are more or less
uniformly distributed. We can also compare against the frequencies in
nmap-services to judge how common Java RMI is compared to other
services.

Also, I believe it's possible to set version information for ports other
than the one being script scanned. rmi-dumpregistry could set the
version for the other ports as if they had been version probed.

> Also, if dumping the registry discovers that some objects in this
> application are distributed to other hosts, perhaps adding these newly
> discovered hosts to the list of targets would be nice? Or is that
> something that should only be done by a pre-rule-"discovery"-script?
> Right now, nothing about these potential new hosts/ports is stored so
> other scripts can access the information.

It doesn't work as a prerule script, because prerules don't have any
host or port information to work with. (It wouldn't know where the
rmiregistries are.) But it could be added to rmi-dumpregistry, sure.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/