Nmap Development mailing list archives
Re: [NSE] How brute scripts and UN/PW scripts interact with creds
From: David Fifield <david () bamsoftware com>
Date: Thu, 29 Dec 2011 10:12:25 -0800
On Wed, Dec 28, 2011 at 09:38:16PM -0500, Brendan Byrd wrote:
On Wed, Dec 28, 2011 at 11:00 AM, Patrik Karlsson <patrik () cqure net> wrote:Make sure to check out the latest snmp-brute that was committed a few days ago.Looking at it now. Looks like it's just changes to the community string DB reader, so I'm try to get that merged in with my own code.At first I thought: wouldn't you achieve this by putting these 7-8 community strings in a community dictionary file (snmp-brute.communitiesdb) and running snmp-brute and whatever other snmp script you would like output from? As all snmp scripts should depend on snmp-brute it should find the proper string and have it for the other scripts running once it finishes.Besides the thing below, there's another problem: snmp-brute, and in fact, probably most of the brute scripts, don't appear to be "thread safe". We're talking when NMap executes 128 brute scripts for 128 hosts. The sending of packets appear to work just fine. However, when a host-specific receiver thread tells pcap that it needs to find a specific packet from its host, Pcap will happily discard all of the good responses from every other host until it has found the right packet for the host that this single thread is worried about. There's no real way of fixing this via Lua. The script is just executing code similar to this: pcap:pcap_open(host.interface, 104, false, "src host " .. host.ip .. " and udp and port " .. port.number) ... -- Yay, mass discards! local status, plen, l2, l3, _ = pcap:pcap_receive()
Are you sure about this? The pcap bindings have been designed not to have the problem you describe. I did a test with two scripts that capture all packets using a filter string of "ip", and both the scripts see the same packets, even when run at the same time. I attached the scripts. I ran them like this: $ sudo ./nmap -e eth0 --script=test-a,test-b -d2 Does the same thing happen when you do 20 simultaneous hosts, rather than 128? I can more easily imagine that is is caused by a limit on the number of BPF handles or something like that. David Fifield
Attachment:
test-a.nse
Description:
Attachment:
test-b.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] How brute scripts and UN/PW scripts interact with creds Brendan Byrd (Dec 23)
- Re: [NSE] How brute scripts and UN/PW scripts interact with creds Patrik Karlsson (Dec 25)
- Re: [NSE] How brute scripts and UN/PW scripts interact with creds Brendan Byrd (Dec 28)
- Re: [NSE] How brute scripts and UN/PW scripts interact with creds Patrik Karlsson (Dec 28)
- Re: [NSE] How brute scripts and UN/PW scripts interact with creds Brendan Byrd (Dec 28)
- Re: [NSE] How brute scripts and UN/PW scripts interact with creds Patrik Karlsson (Dec 29)
- Re: [NSE] How brute scripts and UN/PW scripts interact with creds David Fifield (Dec 29)
- Re: [NSE] How brute scripts and UN/PW scripts interact with creds Patrik Karlsson (Dec 29)
- Re: [NSE] How brute scripts and UN/PW scripts interact with creds Patrik Karlsson (Dec 29)
- Re: [NSE] How brute scripts and UN/PW scripts interact with creds Brendan Byrd (Dec 29)
- Re: [NSE] How brute scripts and UN/PW scripts interact with creds Brendan Byrd (Dec 28)
- Re: [NSE] How brute scripts and UN/PW scripts interact with creds Patrik Karlsson (Dec 25)