Least Privileges for NMAP

[starlight.2012q3 () binnacle cx]

Hello,

I recently started experimenting with the -A
option and have an observation.  It's clear
that -sC scripts are numerous, complex and
buggy.

Seems probable that blackhats will take
advantage of this and write exploits designed
to inject malware into systems scanning their
hosts with 'nmap -A'.

In keeping with this I am now issuing

   chown nobody:nobody nmap
   chmod ug+s nmap
   setcap cap_net_raw+ep nmap

and adding the

   --privileged

option to the 'nmap' command line.  It
works well and greatly reduces the likelihood
of a 'nmap' exploit successfully infecting
the system where 'nmap' is run.

It would be fairly straightforward to have
'nmap' natively issue system calls to
produce the same least-privilege state
as the above commands.  I suggest that this
be implemented.

The semantics of Linux capabilities changed
somewhat in 2.6.25 and this might require
some conditional logic that refers to
/proc/version.

Perhaps it would make sense to make use
of the Google Chrome sandbox when 'nmap'
is run under Windows, though I imagine adding
the feature would be a large effort.

Thanks for the great software!

Regards

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/