Re: NSE script targets-ipv6-multicast-mld.nse patched to include OS detection

[Alexandru Geana <alex () alegen net>]

Hello devs,

I finished a new version of these patches. The fingerprint-* script does
not depend on the target-* script anymore, but instead there is a
library called multicast.lua which contains the code for sending the MLD
queries. The function which sends the packets is thread safe and may be
called by multiple scripts at the same time.

The responses are cached such that subsequent calls do not generate extra
traffic. Furthermore, I also added the function which extract IPs from
the MLD reports.

I am open to further suggestions for improvements!

Best regards,
Alexandru Geana
alegen.net

On 05/18, Alexandru Geana wrote:
> Hello devs,
>
> After some discussions, it was decided that some changes were needed for
> this patch. Below is a description of this version of the patch against
> the current codebase:
>
> 1) The bug in targets-ipv6-multicast-mld.nse script has been fixed and
> now the script sends the mld query to the correct address. Furthermore,
> it contains additional code which can parse MLD v1 and v2 reports and
> extract multicast addresses. These addresses are place in the nmap
> registry for other scripts to use.
>
> 2) A new script called fingerprint-ipv6-multicast-mld.nse was created
> which attempts to guess what operating system a host is running based on
> the multicast addresses it listens to. The multicast addresses are taken
> from the registry and this script is supposed to be used together with
> the targets-ipv6-multicast-mld.nse script.
>
> 3) I added a new generic utility function to ipOps.lua which takes one
> unicast link-local ip address and returns the solicited node multicast
> address.
>
> Let me know what you think!
>
> Best regards,
> Alexandru Geana
> alegen.net
>
> On 04/29, Alexandru Geana wrote:
> > Hello devs,
> >
> > Attached to this email I am sending a patch which modifies the
> > targets-ipv6-multicast-mld.nse script to guess the operating systems of
> > detected hosts based on the multicast addresses present in the MLD
> > reports. It is able to distinguish between different versions of
> > Windows and specific Linux distros. The reason is that by default
> > different OSes are listening on different IPv6 multicast addresses.
> >
> > I also managed to fix a bug where the script would send MLD queries with
> > multiple addresses (including global unicast IPv6 and IPv4).
> > Furthermore, I changed the maximum response delay from 0 to 1
> > millisecond, since the former resulted in a crash of the TCP/IP stack of
> > virtualbox when executing the script inside the guest.
> >
> > For convenience I am also attaching a new version of the script next to
> > the diff so that it is easier to read.
> >
> > Let me know what you think and if anyone knows any other multicast
> > addresses for other OSes, they are more than welcome.
> >
> > Sample output tested on a Windows 10 host:
> >  Pre-scan script results:
> >  | targets-ipv6-multicast-mld:
> >  |
> >  |   IP: fe80::8904:847b:f736:760d           MAC: 08:00:27:be:80:d0  IFACE: eth0
> >  |   Host reported the following addresses:
> >  |       ff02::1:ff36:760d
> >  |       ff02::fb
> >  |       ff02::1:3
> >  |       ff02::c
> >  |   OS scores (max. 100):
> >  |       Microsoft Windows 10      100
> >  |       Microsoft Windows 7       50
> >  |       Microsoft Windows 8.1     50
> >  |       Ubuntu                    25
> >  |
> >  |_  Use --script-args=newtargets to add the results as targets
> >
> > Best regards,
> > Alexandru Geana
> > alegen.net

Attachment: ipOps.lua.diff
Description:

Attachment: targets-ipv6-multicast-mld.nse.diff
Description:

Attachment: multicast.lua
Description:

Attachment: fingerprint-ipv6-multicast-mld.nse
Description:

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/