Re: GSoC 2011: NSE Script Development

[Toni Ruottu <toni.ruottu () iki fi>]

I do not know what is most useful, but if you are interested about
backorifice-info I think I can help you get started.

First you need to be able to use the software normally without nmap.
You can get the package from http://www.cultdeadcow.com/tools/bo.zip
My Wine networking breaks shortly after the client connects to the
server. I believe there is some bug in Wine. If you do not get it to
work under Wine, you need to set up Windows 95 or 98, as I think it
does not work on later Windows versions. When you run the server the
executable will disappear, and the server will autostart with the
system after that. Google can probably tell you how to get rid of it
later, but do not run this on critical systems.

The source to the unix client is available from
http://www.cultdeadcow.com/tools/bo121unix.tar.gz and the protocol is
described at http://www.magnux.org/~flaviovs/boproto.html It is a
binary protocol, so you need to get familiar with the bin library NSE
provides you. See http://nmap.org/nsedoc/lib/bin.html

There is some crypto involved which makes the task a bit hard. I
suggest you start by writing a script that does the handshake, by
sending a correctly encrypted ping, and decrypting the response. If
you get any response the packet you sent was probably right. The
server seems to never responds to invalid packets.

You could use Wireshark to intercept some packets sent by the real
client, and use those as examples while writing your script. Once you
are able to exchange packets with the server, you can build on that
and go on to design and write an info script.

On Mon, Mar 28, 2011 at 6:10 AM, Gorjan Petrovski <mogi57 () gmail com> wrote:
> Hello David,
>
> Thank you for replying and for the useful information. I read the
> Google Summer of Code documentation thoroughly and got some knowledge
> of Lua scripting and the NSE libraries. I must say it is quite an
> elegant solution for extending functionality.
> Now I feel I should start implementing a new script in order to
> perfect my knowledge. I've had my eye on the backorifice-info script
> from the Script_Ideas page because the source code is available and
> maybe I would be able to implement before the GSoC application
> deadline, but if you have a more useful script in mind, like a certain
> exploit or vulnerability, I would be happy to try my wits at it.
>
> Thanks,
> Gorjan Petrovski
>
>
> On Thu, Mar 24, 2011 at 8:37 PM, David Fifield <david () bamsoftware com> wrote:
> > On Wed, Mar 23, 2011 at 05:48:04PM +0100, Gorjan Petrovski wrote:
> > > Hello Nmap developers,
> > >
> > > My name is Gorjan Petrovski and I've been eagerly waiting for GSoC
> > > this year, hoping to cut my skills on the Nmap project. I'm a 4-th
> > > year student of Computer Systems Engineering, with only 2 exams and my
> > > thesis to go, so I'll be available and ready to do full-time work this
> > > summer.
> > >
> > > I have a general knowledge of networking protocols, plenty of C/C++
> > > experience, some of it using sockets. I have also made several python
> > > scripts for personal use and I'm quite familiar with bash scripting.
> > > I've also done some (little) tampering with exploits, mostly local
> > > ones (shellcode).
> > >
> > > I'm really interested in doing research with vulnerabilities and
> > > exploits. I've already gotten myself familiar with Nmap and the NSE
> > > functionality through Fyodor's book and against a couple of local
> > > virtual machines and I'm currently learning Lua while testing and
> > > reading some existing scripts.
> > >
> > > Any suggestions on how to proceed futher, am I on the right path?
> > > Ideas for a beginner's script that would be useful?
> > > Are there any especially important scripts to write?
> > > For the development of vulnerability and exploits NSE scripts, would
> > > there be an emphasis on new exploits, or old and popular ones which
> > > haven't yet made it to NSE?
> >
> > Hi Gorjan, thanks for writing. You are on the right path so far. If you
> > haven't yet, read the pages
> >        http://www.google-melange.com/gsoc/org/home/google/gsoc2011/nmap
> >        http://nmap.org/soc/
> >        http://nmap.org/soc/GeneralRequirements.html
> >        http://nmap.org/soc/apply.html
> >
> > Some script ideas are at https://secwiki.org/w/Nmap/Script_Ideas. For a
> > gentle beginner's introduction, you might try reimplementing
> > http-date.nse: http://nmap.org/nsedoc/scripts/http-date.
> >
> > We want to focus on new important vulnerabilities, less on historical
> > vulnerabilities.
> >
> > David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/