Re: 2006 Tool Survey Released - SecTools.Org

[Diman Todorov <diman () xover mud at>]

On Jun 22, 2006, at 1:48 AM, KarMax wrote:

> On 6/21/06, Fyodor <fyodor () insecure org> wrote:
> > Yeah, I expected them to take a hit too.  But I guess the survey  
> > would
> > be pointless if we could predict everything.  Also, Nessus doesn't
> > have much open source vulnerability scanning competition right now.
> > I'd love to see that change in the next survey.
>
> Mmmm maybe is just the right moment to develop a new tool (is a hole
> to be full filled)

I usually don't like to parrot, but:
as I mentioned earlier, my SoC project is to add lua scripting to
nmap.
This effectively adds the required functionality to perform exploit
tests with nmap. The exploit tests themselves are written in LUA :)

If you do think that vulnerability scans in nmap are useful, please
beta test http://xover.mud.at/~diman/nmap-4.10LUA.tar.bz2 and drop me
a few lines of feedback.
The current version has all of the functionality of the final version.
The final version will use nmap libraries instead of luasocket
for network i/o and it will execute scripts in parallel instead of
sequentially.
The current version is not suit for large scans because of its
sequential nature but I have already scanned /24 networks without
problems.

For installation instructions please read README_LUA in the nmap tarball

usage:
perform all scripts in ./nmap_scripts
nmap -sC localhost

perform all scripts in some_dir
nmap --script-scan=some_dir localhost

perform all scripts in some_dir and some_script.lua
nmap --script-scan=some_dir,some_script.lua localhost

Known Bugs:
the user documentation is currently far from complete :/

example session:
Quintillian:~/SoC/scratch/diman/nmap diman$ ./nmap -sC <censored> -p  
22,25,80,631,113

Starting Nmap 4.10LUA ( http://www.insecure.org/nmap/ ) at 2006-06-22  
13:57 CEST
Warning: File ./nmap-services exists, but Nmap is using /usr/local/ 
share/nmap/nmap-services for security and consistency reasons.  set  
NMAPDIR=. to give priority to files in your local directory (may  
affect the other data files too).
Interesting ports on <censored>:
PORT    STATE SERVICE SCRIPT SCAN
22/tcp  open  ssh
|                     Service owner is: root
|                     stealth sshd version: SSH-2.0-OpenSSH_3.8.1p1  
Debian-8.sarge.4
25/tcp  open  smtp
|                     Service owner is: mail
|                     smtp version: 220 HET2 ESMTP Exim 3.36 #1 Thu,  
22 Jun 2006 13:57:18 +0200
80/tcp  open  http
|                     Site title: Main Page - Wikipedia
|                     Service owner is: www-data
113/tcp open  auth
|                     Service owner is: nobody
631/tcp open  ipp
|                     Service owner is: root

Nmap finished: 1 IP address (1 host up) scanned in 1.316 seconds
Quintillian:~/SoC/scratch/diman/nmap diman$

example script:

socket = env.require("socket")

-- this function returns true if the script should run
-- on the currently scanned port and false otherwise
portrule = function()
         identd = nmap.getPortState(113, "tcp")
        -- if identd is open on this host, then the script fires
         if
                 identd
                 then
                 decision = true
         else
                 decision = false
         end

         return decision
end

-- this function performs the test and returns the output
action = function()
         status = 0
         owner = ""

         client_ident = socket.tcp()
         client_service = socket.tcp()
         client_service:connect(host.ip, port.number)
         client_ident:connect(host.ip, 113)

         peer_ip, peer_port = client_service:getsockname()
         request = port.number .. ", " .. peer_port .. "\n"
         client_ident:send(request)
         owner = client_ident:receive()

         owner = env.string.match(owner, "USERID : .+ : (.+)", 1)
         if owner == nil then
                owner = "no user"
         end
         owner = "Service owner is: " .. owner

         client_ident:close()
         client_service:close()

         return owner
end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev