Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

set_port_state fails to introduce new ports

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Fri, 31 Dec 2010 12:45:07 +0200
I had some problems using set_port_state, so I wrote a minimal script
to reproduce the problem. The attached script set666.nse sets udp port
666 to state "open" for all hosts. Try running it on a machine where
the port 666 is closed. I'd use
nmap -p 80 -sU --script set666.nse 127.0.0.1
The results should show open port 666, but they do not.

This behavior prevents NSE scripts from reporting new scan results
they come across while executing scripts. There are lots of discovery
services that can be probed to get exact ip/port combinations to use
as scan targets. The appropriate behavior to make use of such
information would include a combination of prerule, and a hostrule. In
such setup the prerule would probe the discovery service, adding the
ips to scan targets and recording the corresponding ports to the
registry. The host rule would get the port from the registry, scan it,
and set the correct state using set_port_state. Any further analysis
could be done using a portrule, since the host rule would have set the
port state to "open".

Fixing set_port_state to support ports outside the original
specification would not only fix the problems with using discovery
services, but also have other uses where the exact host/port
combination is known. Such cases include crawling a network. With some
protocols one can use a portrule script to get the targets connection
table. This makes it possible to add other connected nodes into
targets, but most of the time the connection table also reveals a
working target port. Being able to have nmap scan that port is golden
as the port is probably open, and running the service we are currently
interested in.

Fixing set_port_state is a good start towards writing service
discovery and crawling scripts, but there might be other ways to make
writing such scripts even more convenient. Some of them might be even
more efficient, or more convenient to implement. What do you think?

  --Toni

Attachment: set666.nse
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: