Nmap Development mailing list archives
Nmap GSoC 2012 Success Report
From: Fyodor <fyodor () nmap org>
Date: Fri, 19 Oct 2012 16:04:04 -0700
Hi Folks. I'm pleased to report that we have successfully completed our 8th Google Summer of Code! Four of our five students passed. They wrote a lot of great code, and almost all of it has been integrated in either the big Nmap 6.00 release, the 6.01 followup, or the current SVN trunk. I'd like to give a big shout out to Peter, Aleks, Hani, and Sean for doing such a wonderful job! Let's look at their accomplishments individually: *Piotr Olma* focused on improving our web scanning support. He made numerous improvements and fixes to our web spidering and HTTP pipelining system, and he also wrote or co-authored 7 scripts, including an HTTP form fuzzer, a sitemap generator, and brute forcers for POP3, IRC SASL, and HTTP digest authentication. *Aleksandar Nikolic* was our NSE vulnerability and exploitation specialist. He dramatically improved the brute force authentication testing and username/password libraries. He also wrote 19 scripts, including: o dns-nsec3-enum uses a clever "NSEC3 walking" technique to enumerate DNSSEC records. http://nmap.org/nsedoc/scripts/dns-nsec3-enum.html o samba-vuln-cve-2012-1182, smb-vuln-ms10-054, and smb-vuln-ms10-061 detect serious vulnerabilities in the Windows and Samba SMB stacks. o pcanywhere-brute, ftp-brute, and metasploit-msgrpc-brute perform brute force password auditing against these three popular protocols. *Hani Benhabiles* spent the summer improving Nmap's network discovery NSE scripts. He replaced our aging (yet very important) SunRPC enumeration system with a faster and easier to maintain NSE-based RPC grinder. He also wrote an incredible 22 scripts, including: o broadcast-eigrp-discovery, broadcast-igmp-discovery, broadcast-pim-discovery, and lltd-discovery use these protocols in clever ways to enumerate available hosts. o http-waf-fingerprint tries to detect and fingerprint web application firewalls protecting a website, while firewall-bypass tries to trick the Netfilter firewall framework into allowing a connection by exploiting its ftp helper module. o sip-methods, sip-enum-users, and sip-call-spoof allow for discovery and manipulation of VoIP services. Thanks to Peter, Aleks, Hani, and dozens of other contributors, Nmap now contains more than 430 NSE scripts. Further information on all of them is available on our documentation portal: http://nmap.org/nsedoc/ While the NSE team was writing amazing scripts, *Sean Rivera* was leading the "Great Bug Hunt", helping to fix up, clean, and improve numerous parts of Nmap. For example, he fixed a "spurious closed port" bug that has been annoying us for a while and he added protocol-specific payloads for IPv6 hop-by-hop (0x00), routing (0x2b), fragment (0x2c), and destination (0x3c) headers. Sean fixed some Nping bugs as well. In addition to my shout out to the students, I'd like to thank my fellow mentors David Fifield, Henri Doreau, and Patrick Donnelly for supporting these efforts and always being there to help! Finally, I'd like to thank Google for making all of this possible! They have spent tens of millions of dollars sponsoring thousands of students to work on hundreds of open source projects. Nmap by itself has mentored 59 SoC students in the last 8 years and some continue as top Nmap developers to this day. If you enjoy Zenmap, the Nmap Scripting Engine, Ncat, Nping, or Ndiff, you're using features developed in a large part by previous Summer of Code students! Cheers, Fyodor PS: For those who are interested, here are our previous success (pass) rates and wrap-up reports: 2012 (4/5 - 80%): [this report] 2011 (7/7 - 100%!): http://seclists.org/nmap-dev/2012/q1/542 2010 (8/8 - 100%!): http://seclists.org/nmap-dev/2011/q1/708 2009 (6/6 - 100%!): http://seclists.org/nmap-dev/2009/q4/148 2008 (6/7 - 86%): http://bit.ly/googleblognmap 2007 (5/6 - 83%): http://seclists.org/nmap-dev/2007/q4/24 2006 (8/10 - 80%): http://seclists.org/nmap-dev/2007/q1/235 2005 (7/10 - 70%): http://slashdot.org/comments.pl?sid=183143&cid=15133184 Overall 51 or our 59 students (86%) passed. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap GSoC 2012 Success Report Fyodor (Oct 19)