Nmap Development mailing list archives
Re: NSE: RMI Dumpregistry
From: David Fifield <david () bamsoftware com>
Date: Tue, 2 Nov 2010 11:02:14 -0700
On Tue, Nov 02, 2010 at 03:42:24PM +0100, Martin Holst Swende wrote:
On 11/01/2010 09:52 PM, David Fifield wrote:Sorry again for the delay. I added the library and script using the files from your branch.No problem about the delays, I know you have a lot++ things to deal with, and that rmi-stuff was pretty large. Is it committed already? I am going to perform some changes and decrease the default verbosity, but that should be pretty minimal changes and easy to review.
Just tell me when you've updated your branch and I'll pull in the changes.
Also, regarding rmi - I mentioned earlier that rmi seems go undetected pretty often; here's the reason: * The RMI registry usually sits on a few ports, e.g 1099 and 1098. * RMI objects,(which are typically found when querying the registry) are located on pretty random ports, whatever the runtime chooses. That's why the registry is needed, so other apps can lookup where they are (the dumpregistry-script lists the host and port for each object) Therefore, the currently defined ports in the service fingerprints definition do a pretty good job at finding rmi registrys, but usually misses to fingerprint other rmi services (remote objects). So, I would suggest sending the rmi-probe more often. But I have no hard data to about how common this is.
You said you tested this script on the Internet. Do you still have the logs? If so, send a table of the ports listed by rmiregistry, sorted by number of occurrences. That way we can see if the ports are more or less uniformly distributed. We can also compare against the frequencies in nmap-services to judge how common Java RMI is compared to other services. Also, I believe it's possible to set version information for ports other than the one being script scanned. rmi-dumpregistry could set the version for the other ports as if they had been version probed.
Also, if dumping the registry discovers that some objects in this application are distributed to other hosts, perhaps adding these newly discovered hosts to the list of targets would be nice? Or is that something that should only be done by a pre-rule-"discovery"-script? Right now, nothing about these potential new hosts/ports is stored so other scripts can access the information.
It doesn't work as a prerule script, because prerules don't have any host or port information to work with. (It wouldn't know where the rmiregistries are.) But it could be added to rmi-dumpregistry, sure. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSE: RMI Dumpregistry David Fifield (Nov 01)
- Re: NSE: RMI Dumpregistry Martin Holst Swende (Nov 02)
- Re: NSE: RMI Dumpregistry David Fifield (Nov 02)
- Re: NSE: RMI Dumpregistry Patrick Donnelly (Nov 02)
- Re: NSE: RMI Dumpregistry Patrick Donnelly (Nov 17)
- Re: NSE: RMI Dumpregistry Martin Holst Swende (Nov 17)
- Re: NSE: RMI Dumpregistry Martin Holst Swende (Nov 22)
- Re: NSE: RMI Dumpregistry David Fifield (Nov 22)
- Re: NSE: RMI Dumpregistry Martin Holst Swende (Nov 22)
- Re: NSE: RMI Dumpregistry David Fifield (Nov 26)
- Re: NSE: RMI Dumpregistry Patrick Donnelly (Nov 17)
- Re: NSE: RMI Dumpregistry Martin Holst Swende (Nov 02)