Re: [NSE] IKE information extraction

[Jesper Kückelhahn <dev.kyckel () gmail com>]

Hi Patrik,

I guess I missed your point about using a mutex; I initially didn't think
about implementing it in the ike lib, which makes more sense. I've attached
a patch against SVN that includes mutex. Thanks again for the pointer.

I've also attached an updated ike-info.nse that extracts more information,
specifically the use of aggressive mode authentification and pre-shared
keys (CVE-2002-1623).


- Jesper




On Tue, May 21, 2013 at 8:41 PM, Jesper Kückelhahn <dev.kyckel () gmail com>wrote:

> Hi Patrik,
>
> I've looked a bit more into to this, and using a mutex scheme, requires
> that the two scripts (version detection and information extraction) sets
> the mutex. This would solve the problem of both these scripts trying to
> bind to UDP 500, but would require other scripts binding to this port to
> also use this mutex, which could lead to transparency issues.
>
> Would it make more sense to extend the 'bind' method of new_socket, to
> include this functionality, i.e. let 'bind' check if a mutex is set for a
> given port/protocol, and then wait for it to be released ?
>
>
> - Jesper
>
>
> On May 21, 2013, at 10:05 AM, Jesper Kückelhahn <dev.kyckel () gmail com>
> wrote:
>
> Hi Patrik,
>
> Thanks for the pointer. I'll look into using this for for the script.
>
> - Jesper
>
>
> On Tue, May 21, 2013 at 3:01 AM, Patrik Karlsson <patrik () cqure net> wrote:
>
> > Jesper,
> >
> > I don't think there is a way to tell if the port is in use or not but if
> > you want to avoid that the scripts run at the same time you could use a
> > mutex. There some more information here;
> > http://nmap.org/book/nse-parallelism.html
> >
> > /Patrik
> >
> >
> > On Mon, May 20, 2013 at 6:38 PM, Jesper Kückelhahn <dev.kyckel () gmail com>wrote:
> >
> > > Hi list,
> > >
> > > I've attached a script for extracting information from an IKE service
> > > and a
> > > patch for ike.lua.
> > >
> > > The IKE response might contain useful information such as the internal IP
> > > address, domain name or username, which the script displays. Also matched
> > > vendor IDs are displayed.
> > >
> > > The ike.lua.patch adds extra functionality to support the extraction (and
> > > some minor refactoring).
> > >
> > > Example outputs:
> > >
> > > PORT    STATE SERVICE REASON       VERSION
> > > 500/udp open  isakmp  udp-response SonicWall
> > > | ike-info:
> > > | Information
> > > |   ID details
> > > |     Type
> > > |       ID_USER_FQDN
> > > |     Value
> > > |       DJ-G005
> > > |   Vendor IDs
> > > |_    SonicWall
> > >
> > > PORT    STATE SERVICE REASON
> > > 500/udp open  isakmp  udp-response
> > > | ike-info:
> > > | Information
> > > |   ID details
> > > |     Type
> > > |       ID_IPV4_ADDR
> > > |     Value
> > > |       10.0.0.99
> > > |   Vendor IDs
> > > |     Cisco Unity
> > > |     XAUTH
> > > |     Dead Peer Detection v1.0
> > > |     IKE FRAGMENTATION
> > > |     Cisco VPN Concentrator 3000 4.0.7
> > > |_    Cisco VPN Concentrator 3000
> > >
> > > Currently there's a minor bug, as both the ike version detection script
> > > and
> > > ike-info.nse both try to bind to port 500 UDP. Is there a nice way to
> > > wait
> > > for the port to become available ?
> > >
> > >
> > > Regards
> > >   Jesper Kückelhahn
> > >
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > http://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/
> >
> >
> >
> > --
> > Patrik Karlsson
> > http://www.cqure.net
> > http://twitter.com/nevdull77
> > http://www.linkedin.com/in/nevdull77

Attachment: ike.lua.patch
Description:

Attachment: ike-info.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/