Nmap Development mailing list archives
[PATCH]+[NSE Script] DNS open recursion (CVE-1999-0024)
From: Felix Groebert <felix () groebert org>
Date: Fri, 18 Aug 2006 16:26:02 +0200
Hi, I just finished a NSE to test whether a Nameserver resolves a query recursive. I ran into some problems writing the NSE, mainly due to my lack of experience with lua. I patched NSE 4.20ALPHA4 with a patch from the lua-users mailinglist to support bitwise operations. I did not review the license (probably same as lua) or the security of the patch[3]. The dns-test-open-recursion.lua script requires the patch. See [1] for patches and downloads. Some thoughts on NSE: - Maybe I missed something in the lua docs, but the best way I found to construct binary packets using hexadecimal values was string.char(0x04, 0x05). An API function which produces a binary string from a hexdump like "AC 1D DE AD" might be handy. Also an API functions for debugging messages and bitwise operations would be nice. - The script-trace option needs support for unprintable characters. I would suggest a mixed output like "ACID\xba\xbe\x01" instead of a dual hex-ascii output seen in hexdump. - A references lua table for CVE, BID, YATID, OSVDBID might be good. Full bug descriptions, like in nasl files, are redundant information for most nmap hackers (; - Filename naming guidelines - NSE is a very cool feature, I really like it <: Some questions: - Is it possible to generate lua from perl or python? Although this would not help with socket operations, it might help some developers getting started with lua and string operations - I am currently hacking fpdns.pl[2] to output its database and a NSE script using the database "fpdns.pl is a program that remotely determines DNS server versions. It does this by sending a series of borderline DNS queries which are compared against a table of responses and server versions." I must admit that I am not quite sure if this is wanted. On the one hand -sV supports Nameserver version detection, but on the other the fpdns detection is also very good. Unix tradition shows that many good tools do a good job. I also do not want that nmap `eats` the fpdns project or that NSE `eats` the nmap service detection. Any advise? [1] http://groebert.org/felix/pub/nmap/nmap-4.20ALPHA4-NSE-bitops.patch http://groebert.org/felix/pub/nmap/dns-test-open-recursion.lua http://groebert.org/felix/pub/nmap/ [2] http://www.rfc.se/fpdns/ [3] http://lua-users.org/lists/lua-l/2006-06/msg00350.html http://lua-users.org/lists/lua-l/2006-06/gzvGlPinly6j.gz Cheers, -- Felix Groebert <> groebert.org/felix <> GPG key: 6556DA11 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH]+[NSE Script] DNS open recursion (CVE-1999-0024) Felix Groebert (Aug 18)
- Re: [PATCH]+[NSE Script] DNS open recursion (CVE-1999-0024) Kevin Johnson (Aug 18)
- Re: [PATCH]+[NSE Script] DNS open recursion (CVE-1999-0024) Diman Todorov (Sep 05)
- Re: [PATCH]+[NSE Script] DNS open recursion (CVE-1999-0024) Diman Todorov (Sep 09)