Re: [NSE] isakmp aggressive mode and version detection

[David Fifield <david () bamsoftware com>]

On Mon, Jan 21, 2013 at 07:16:18PM +0100, Jesper Kückelhahn wrote:
> I'm sorry that I didn't include instructions for the script and files.
> I've tried to follow the convention currently used for file locations,
> which means that the script assumes that the files 'ike.lua' and
> 'ike-fingerprints.lua' are placed in 'nmap/nselib/' and
> 'nmap/nselib/data/', respectively. I think the error you are seeing is
> a consequence of 'ike-fingerprints.lua' not being found and loaded
> correctly. 
>
> In my testing I've used the following syntax:
>
> # nmap --script=ike-version -p500 -sUV --version-intensity=0 -dd TARGET
>
> The script uses the same port as the an isakmp service is listening on
> (UDP port 500) for socket:bind, so running a isakmp service on
> localhost could be causing some issues ? This can be changed in line
> 332 in 'ike.lua'.

I got isakmp running on an OS X host and the script is still not working
for me.

$ sudo ./nmap --script=ike-version -p500 -sUV --version-intensity=0 -dd 192.168.0.3
NSE: Starting 'ike-version' (thread: 0x17bf580) against 192.168.0.3:500.
Initiating NSE at 22:32
Fetchfile found /home/david/nmap-git/nmap-rpc
NSOCK INFO [5.3670s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [5.3830s] nsock_connect_udp(): UDP connection requested to 192.168.0.3:500 (IOD #1) EID 8
NSE: Sending Aggressive mode packet ...
NSOCK INFO [5.3830s] nsi_new2(): nsi_new (IOD #2)
NSOCK INFO [5.3860s] nsock_connect_udp(): UDP connection requested to 192.168.0.3:500 (IOD #2) EID 16
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 16 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_readbytes(): Read request for 1 bytes from IOD #1 [192.168.0.3:500] EID 42
NSOCK INFO [5.3860s] nsock_readlines(): Read request for 1 lines from IOD #2 [192.168.0.3:500] EID 50
NSOCK INFO [5.3970s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 50 [192.168.0.3:500] (285 bytes)
NSOCK INFO [5.4360s] nsi_delete(): nsi_delete (IOD #2)
NSE: IKE: Found IKE Header: 01: SA
NSE: IKE: Found IKE Header: 04: Key Exchange
NSE: IKE: Found IKE Header: 0A: Nonce
NSE: IKE: Found IKE Header: 05: ID
NSE: IKE: Found IKE Header: 08: Hash
NSE: 'ike-version' (thread: 0x17bf580) against 192.168.0.3:500 threw an error!
/home/david/nmap-git/nselib/ike.lua:183: bad argument #1 to 'pairs' (table expected, got nil)
stack traceback:
        [C]: in function 'pairs'
        /home/david/nmap-git/nselib/ike.lua:183: in function 'lookup'
        /home/david/nmap-git/nselib/ike.lua:310: in function </home/david/nmap-git/nselib/ike.lua:290>
        (...tail calls...)
        /home/david/nmap-git/scripts/ike-version.nse:58: in function 'get_version'
        /home/david/nmap-git/scripts/ike-version.nse:100: in function </home/david/nmap-git/scripts/ike-version.nse:99>
        (...tail calls...)

NSOCK INFO [35.3860s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 42 [192.168.0.3:500]
NSE: rpc-grind: isRPC didn't receive response.
NSE: Target port 500 is not a RPC port.
NSE: Finished 'rpc-grind' (thread: 0x17ad180) against 192.168.0.3:500.
NSOCK INFO [35.3870s] nsi_delete(): nsi_delete (IOD #1)
Completed NSE at 22:33, 30.02s elapsed

I have the files where they should be, I think:

$ git st
# On branch master
# Untracked files:
#   (use "git add <file>..." to include in what will be committed)
#
#       nselib/data/ike-fingerprints.lua
#       nselib/ike.lua
#       scripts/ike-version.nse

ike-scan returns something:

$ sudo ike-scan 192.168.0.3
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.0.3     Main Mode Handshake returned HDR=(CKY-R=5cb2bd6e239aef89) SA=(Enc=3DES Hash=SHA1 Auth=PSK 
Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection 
v1.0)

Ending ike-scan 1.9: 1 hosts scanned in 0.008 seconds (119.95 hosts/sec).  1 returned handshake; 0 returned notify

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/