Nmap Development mailing list archives
Re: [NSE] ntp-info probing logic?
From: nnposter () users sourceforge net
Date: Tue, 26 Aug 2014 21:04:25 +0000
Daniel Miller wrote:
I'd appreciate your feedback if you find anything else wrong here. I simply changed the version in the packet, so I may have ended up with a weird mix of version 2 and version 4 fields, but I don't know since the payloads are not well documented in the script (a future TODO item, I'm sure!).
The payload looks fine to me. Also, I have run both the original version (with my proposed modification) and this new version against a hodgepodge of about 1,700 NTP-enabled targets. With respect to the timestamp there was no difference. Each target either responded to both or neither.
I also changed the quoted-string parsing in r33608, so we can now handle escaped quotes within a value. It seems to work fine for me here.
There seem to be two issues here: * Some assignments have zero-length values, such as foo=, bar=blah. Cisco is one of the culprits. The old script handles this well but the LPEG parser does not. (FWIW, the NTP dissector in Wireshark does not handle this case gracefully either. I have submitted a defect.) * Some items are not assignments but merely identifiers (in the NTP vocabulary). The actual data field looks like foo=blah, bar, baz=blah. (Note the absence of assignment for "bar".) HP-UX and Alcatel-Lucent OmniPCX are some of the culprits. Neither version of the script can cope with these. I am proposing the patch below to address both issues. The patch does not distinguish between these two cases. They are both processed as assignments with zero-length values. (Making this distinction would require changes to the script output so I did not pursue it.) In addition, the patch enlarges the alphabet for keys/identifiers to align it more closely with the RFC (by adding ".") and Wireshark (by adding "-"). Cheers, nnposter Patch against revision 33612 follows: --- scripts/ntp-info.nse.orig 2014-08-25 18:22:16.000000000 -0600 +++ scripts/ntp-info.nse 2014-08-26 13:42:47.423975800 -0600 @@ -75,9 +75,9 @@ -- comma-space-separated key=value pairs with optional quotes local kvmatch = U.localize( { lpeg.V "space"^0 * lpeg.V "kv" * lpeg.P(",")^-1, - kv = lpeg.V "key" * "=" * lpeg.V "value", - key = lpeg.C( (lpeg.V "alnum" + "_")^1 ), - value = U.escaped_quote() + lpeg.C((lpeg.P(1) - ",")^1), + kv = lpeg.V "key" * lpeg.P("=")^-1 * lpeg.V "value", + key = lpeg.C( (lpeg.V "alnum" + "_" + "-" + ".")^1 ), + value = U.escaped_quote() + lpeg.C((lpeg.P(1) - ",")^0), } ) action = function(host, port) _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] ntp-info probing logic? nnposter (Aug 07)
- Re: [NSE] ntp-info probing logic? Daniel Miller (Aug 20)
- Re: [NSE] ntp-info probing logic? nnposter (Aug 22)
- Re: [NSE] ntp-info probing logic? Daniel Miller (Aug 23)
- Re: [NSE] ntp-info probing logic? nnposter (Aug 26)
- Re: [NSE] ntp-info probing logic? nnposter (Aug 22)
- Re: [NSE] ntp-info probing logic? Daniel Miller (Aug 20)