Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Draft - targets-sniffer.nse

From: Nick Nikolaou <nikolasnikolaou1 () gmail com>
Date: Tue, 22 Mar 2011 19:46:05 +0000
Thanks for the quick replies guys.

I can't look into the other issues you mention about the script right now,

but
glancing at it I see you aren't using the Packet nselib.  Look at
nselib/packet.lua and the various raw packet scripts (ipidseq, qscan,
path-mtu, firewalk) to see how to use it (the nselib provides more than
what
scripts use right now IIRC).



For this you should use the packet library:

http://nmap.org/nsedoc/lib/packet



Thanks. I did see other scripts using the Packet library but I was having
trouble getting the IP addresses. I guess I have some more reading to do.


We don't have a way for scripts to get the list of interfaces, but

Djalal has a patch to do it: http://seclists.org/nmap-dev/2011/q1/291.
It hasn't been added yet because there isn't a script to use it, but you
can make it a part of your patch if it helps.



 I'll see if/how I could incorporate that, thanks.


 On 22 March 2011 19:17, Toni Ruottu <toni.ruottu () iki fi> wrote:



It fails unless you are root, for understandable reasons.


I forgot to mention that. I'll make sure I add it to the description field.

Nick

On 22 March 2011 19:17, Toni Ruottu <toni.ruottu () iki fi> wrote:


This thing is cool!

It fails unless you are root, for understandable reasons. Do we have
some kind of policy for scripts that require root? I think there
should be a way for scripts to report this to nmap, and nmap should
probably abort the scan if the user is has request root features while
being nonroot. I am not sure, if this is possible at the moment. I am
not sure I understand the big picture.

It would be useful for the final version to take a filter argument
that is used to filter out noise. Maybe we want to scan all service
that one host is accessing, or maybe we want to scan all hosts that
are accessing some service. I think there are some standard languages
for defining such packet filtering. We should probably implement them
in a library rather than each script specifically. What filtering
languages do we want to use? Do we already have support for one of
them?

On Tue, Mar 22, 2011 at 8:44 PM, Nick Nikolaou
<nikolasnikolaou1 () gmail com> wrote:

Hello everyone,

Attached is a draft of a targets-sniffer script. The script sniffs for a
configured amount of a time and adds addresses from packets it sees in
newtargets. (https://secwiki.org/w/Nmap_Script_Ideas#targets-sniffer)

The script still needs work but I was hoping to get some feedback from

the

list.

Example usage:
nmap -sL --script targets-sniffer.nse --script-args=newtargets

This will perform a list scan on the IP addresses it sniffs, ignoring
duplicates and broadcasts. (You can use -d to see the IP addresses as

they

are sniffed)


*Issues that need to be resolved:*

1) The sniffing interface is hard-coded at the moment. Is there a way to

get

the active interface in a prerule script? Alternatively I could change

the

rule to a hostrule. (and maybe a high enough runlevel to ensure the

script

runs first?)

2) The pcap socket doesn't time out.  The only way I got it to timeout

was

to set the timeout value to <=1s. Even then if it sniffed a packet it
wouldn't timeout. I ended up using a temporary nmap.clock() based

solution

in order to test the script.

3) I'm not really happy with the way the script extracts the IP addresses
from the packets at the moment.

4) Any other issues you find.

Thanks for any feedback.
Nick

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: