Nmap Development mailing list archives
Idea: ssh-netstat.nse and adding columns to output
From: Jacek Wielemborek <d33tah () gmail com>
Date: Sun, 28 Sep 2014 14:06:31 +0200
List, I recently had this thought that it should be relatively easy to implement OS-specific local-netstat.nse that would just run "netstat -l", see what ports should be open and compare it to the results of scanning one of local IPs in order to test for rootkits/learn firewall rules. This could also be implemented using the new SSH library and thus make it a remote script as well (I can see that there's already a similar script for SNMP). And then I thought of how would I expect the output to look like and I realized that we could use a new piece of output functionality for that. What I'm thinking about is a way to add a new column to the port scanning output, so instead of: PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 631/tcp open ipp 9050/tcp open tor-socks Host script results: | local-netstat.nse: |_tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN |_tcp 0 0 192.168.121.1:53 0.0.0.0:* LISTEN |_tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN |_tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN |_tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN |_tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN |_tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN |_tcp 0 0 127.0.0.1:2812 0.0.0.0:* LISTEN |_tcp6 0 0 :::111 :::* LISTEN |_tcp6 0 0 ::1:631 :::* LISTEN We could switch to: PORT STATE SERVICE NETSTAT 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 631/tcp open ipp 2812/tcp closed atmtcp open 9050/tcp open tor-socks Of course one could argue that in this particular case it would be better to just change local-netstat.nse's output to just mention the differences, but still there are quite a lot of cases (version detection?) where this feature could be useful. So, what do you think? Jacek
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Idea: ssh-netstat.nse and adding columns to output Jacek Wielemborek (Sep 28)