Nmap Development mailing list archives

Re: [NSE] rpc.lua fix for binding to reserved ports (tcp)

From: David Fifield <david () bamsoftware com>
Date: Thu, 20 Sep 2012 18:16:45 -0700

On Thu, Sep 20, 2012 at 09:39:41AM -0500, Daniel Miller wrote:

This issue has come up previously (), but we missed a situation that
I've run into: When a host stops responding to probes (possibly due
to an adaptive firewall detecting the portscan phase),


Also when a host replies with a SYN/ACK for ports that aren't really
open. That's what we saw in
        http://seclists.org/nmap-dev/2012/q3/864
        http://seclists.org/nmap-dev/2012/q3/872
You can simulate the situation Daniel is describing with the syn.py
script from http://seclists.org/nmap-dev/2012/q3/955 and
        ./nmap --script=rpc-grind localhost -p 1000 --packet-trace

rpc-grind and possibly other scripts will take a long time timing out
with every source port between 600 and 1024, since that portion of
rpc.lua doesn't check the type of failure (timeout vs. port in use,
specifically). Here's a patch to add that check:

--- a/nselib/rpc.lua
+++ b/nselib/rpc.lua
@@ -171,9 +171,14 @@ Comm = {
             status, err = socket:bind(nil, resvport)
             if status then
               status, err = socket:connect(host, port)
-              if status then break end
+              if status or err == "TIMEOUT" then break end
             end
           end
+          if not status and err ~= "TIMEOUT" then
+            stdnse.print_debug("%s reserved port bind failed,
trying ephemeral port", self.program)
+            socket = nmap.new_socket()
+            status, err = socket:connect(host, port)
+          end
         else
           status, err = socket:connect(host, port)
         end

The only thing I'm not sure about is whether to explicitly check for
TIMEOUT the first time, or simply check for err ~= "ERROR", which is
what ought to happen with EADDRINUSE. Thoughts?


Check for "TIMEOUT". That's the situation that will take a lot of time
that we're most concerned about. (Iterating 400 ports still takes
non-negligible time even when the connections fail quickly, which is
another reason I don't think we should do this reserved port search.)
Don't bother trying an ephemeral port if the reserved ports fail; it's
not worth the additional complexity and I think we'll end up rewriting
this code anyway. Make sure that the socket is closed even if there is a
timeout to avoid the problem that was worked around in r29840.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] rpc.lua fix for binding to reserved ports (tcp) Daniel Miller (Sep 20)
- Re: [NSE] rpc.lua fix for binding to reserved ports (tcp) David Fifield (Sep 20)
- Re: [NSE] rpc.lua fix for binding to reserved ports (tcp) David Fifield (Sep 20)
  - Re: [NSE] rpc.lua fix for binding to reserved ports (tcp) Daniel Miller (Sep 20)
    - Re: [NSE] rpc.lua fix for binding to reserved ports (tcp) David Fifield (Sep 20)