Re: [NSE] How brute scripts and UN/PW scripts interact with creds

[Patrik Karlsson <patrik () cqure net>]

On Thu, Dec 29, 2011 at 7:12 PM, David Fifield <david () bamsoftware com>wrote:

> On Wed, Dec 28, 2011 at 09:38:16PM -0500, Brendan Byrd wrote:
> > On Wed, Dec 28, 2011 at 11:00 AM, Patrik Karlsson <patrik () cqure net>
> wrote:
> > > Make sure to check out the latest snmp-brute that was committed a few
> days
> > > ago.
> >
> > Looking at it now.  Looks like it's just changes to the community string
> DB
> > reader, so I'm try to get that merged in with my own code.
> >
> >
> > > At first I thought: wouldn't you achieve this by putting these 7-8
> > > community strings in a community dictionary file
> (snmp-brute.communitiesdb)
> > > and running snmp-brute and whatever other snmp script you would like
> output
> > > from? As all snmp scripts should depend on snmp-brute it should find
> the
> > > proper string and have it for the other scripts running once it
> finishes.
> > >
> >
> > Besides the thing below, there's another problem: snmp-brute, and in
> fact,
> > probably most of the brute scripts, don't appear to be "thread safe".
> > We're talking when NMap executes 128 brute scripts for 128 hosts.  The
> > sending of packets appear to work just fine.  However, when a
> host-specific
> > receiver thread tells pcap that it needs to find a specific packet from
> its
> > host, Pcap will happily discard all of the good responses from every
> other
> > host until it has found the right packet for the host that this single
> > thread is worried about.
> >
> > There's no real way of fixing this via Lua.  The script is just executing
> > code similar to this:
> >
> > pcap:pcap_open(host.interface, 104, false, "src host " .. host.ip .. "
> and
> > udp and port " .. port.number)
> > ...
> > -- Yay, mass discards!
> > local status, plen, l2, l3, _ = pcap:pcap_receive()
>
> Are you sure about this? The pcap bindings have been designed not to
> have the problem you describe. I did a test with two scripts that
> capture all packets using a filter string of "ip", and both the scripts
> see the same packets, even when run at the same time.
>
> I attached the scripts. I ran them like this:
> $ sudo ./nmap -e eth0 --script=test-a,test-b -d2
>
> Does the same thing happen when you do 20 simultaneous hosts, rather
> than 128? I can more easily imagine that is is caused by a limit on the
> number of BPF handles or something like that.
>
> David Fifield
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

I guess the change I made, adding the source port to the BPF filter doesn't
hurt?
Anyway, I'm having trouble running your scripts as they instantly crash, it
seems to be a problem in the packet library.
I think I've tracked it down to a SSL session to twitter. Any TCP/IP guru
that would like to debug?

Cheers,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/