Nmap Development mailing list archives
Re: [NSE] ntp-info probing logic?
From: nnposter () users sourceforge net
Date: Tue, 26 Aug 2014 21:04:25 +0000
Daniel Miller wrote:
I'd appreciate your feedback if you find anything else wrong here. I simply changed the version in the packet, so I may have ended up with a weird mix of version 2 and version 4 fields, but I don't know since the payloads are not well documented in the script (a future TODO item, I'm sure!).
The payload looks fine to me. Also, I have run both the original version (with my proposed modification) and this new version against a hodgepodge of about 1,700 NTP-enabled targets. With respect to the timestamp there was no difference. Each target either responded to both or neither.
I also changed the quoted-string parsing in r33608, so we can now handle escaped quotes within a value. It seems to work fine for me here.
There seem to be two issues here:
* Some assignments have zero-length values, such as foo=, bar=blah.
Cisco is one of the culprits. The old script handles this well but
the LPEG parser does not. (FWIW, the NTP dissector in Wireshark does
not handle this case gracefully either. I have submitted a defect.)
* Some items are not assignments but merely identifiers (in the NTP
vocabulary). The actual data field looks like foo=blah, bar, baz=blah.
(Note the absence of assignment for "bar".) HP-UX and Alcatel-Lucent
OmniPCX are some of the culprits. Neither version of the script can
cope with these.
I am proposing the patch below to address both issues. The patch does
not distinguish between these two cases. They are both processed as
assignments with zero-length values. (Making this distinction would
require changes to the script output so I did not pursue it.)
In addition, the patch enlarges the alphabet for keys/identifiers to
align it more closely with the RFC (by adding ".") and Wireshark (by
adding "-").
Cheers,
nnposter
Patch against revision 33612 follows:
--- scripts/ntp-info.nse.orig 2014-08-25 18:22:16.000000000 -0600
+++ scripts/ntp-info.nse 2014-08-26 13:42:47.423975800 -0600
@@ -75,9 +75,9 @@
-- comma-space-separated key=value pairs with optional quotes
local kvmatch = U.localize( {
lpeg.V "space"^0 * lpeg.V "kv" * lpeg.P(",")^-1,
- kv = lpeg.V "key" * "=" * lpeg.V "value",
- key = lpeg.C( (lpeg.V "alnum" + "_")^1 ),
- value = U.escaped_quote() + lpeg.C((lpeg.P(1) - ",")^1),
+ kv = lpeg.V "key" * lpeg.P("=")^-1 * lpeg.V "value",
+ key = lpeg.C( (lpeg.V "alnum" + "_" + "-" + ".")^1 ),
+ value = U.escaped_quote() + lpeg.C((lpeg.P(1) - ",")^0),
} )
action = function(host, port)
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] ntp-info probing logic? nnposter (Aug 07)
- Re: [NSE] ntp-info probing logic? Daniel Miller (Aug 20)
- Re: [NSE] ntp-info probing logic? nnposter (Aug 22)
- Re: [NSE] ntp-info probing logic? Daniel Miller (Aug 23)
- Re: [NSE] ntp-info probing logic? nnposter (Aug 26)
- Re: [NSE] ntp-info probing logic? nnposter (Aug 22)
- Re: [NSE] ntp-info probing logic? Daniel Miller (Aug 20)