Nmap Development mailing list archives
Re: Nmap Online
From: David Matousek <david () matousec com>
Date: Thu, 30 Nov 2006 11:00:01 +0100
I see, --interactive is now forbidden, but even when it was not, there was no how to insert anything on the standard input of the Nmap process. The website interface offers no interface for this and shell commands injections were and are forbidden. Hans Nilsson wrote:
2. I just ment that through the --interactive mode you can normally execute shell commands. (But as you said, it's not an issue on your site.) On Wed, 29 Nov 2006 19:22:14 +0100, "David Matousek" <david () matousec com> said:Hello, 1) Thanks for --interactive, will be added. It is not a problem even now, because such Nmap session would be killed after timeouted. But of course, it is better to add it. 2) You can not execute shell-commands (erm :) you should not be able to). 3) You can scan local network but the machine firewall will show you nothing. Maybe also a good idea to add to filter just to save a few ticks of processor time. Thanks! -- David Matousek Founder and Chief Representative of Matousec - Transparent security http://www.matousec.com/ Ron Bowes wrote: > Hans Nilsson wrote: >> That might be prudent. I noticed that the --interactive flag doesn't >> seem to be blacklisted and you can execute shell-commands from there and >> everything. But it might not be an issue. > > I'm not sure if you can send commands with --interactive, but you're > right, it seems dangerous. > > Another idea -- don't allow people to scan the local network > (192.168.0.0/24). Just a suggestion :) > > _______________________________________________ > Sent through the nmap-dev mailing list > http://cgi.insecure.org/mailman/listinfo/nmap-dev > Archived at http://SecLists.Org > >
-- David Matousek Founder and Chief Representative of Matousec - Transparent security http://www.matousec.com/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap Online David Matousek (Nov 28)
- Re: Nmap Online Hans Nilsson (Nov 28)
- Re: Nmap Online Diman Todorov (Nov 28)
- Re: Nmap Online Ron Bowes (Nov 28)
- Re: Nmap Online Hans Nilsson (Nov 29)
- Re: Nmap Online Ron Bowes (Nov 29)
- Re: Nmap Online David Matousek (Nov 29)
- Re: Nmap Online Ron Bowes (Nov 29)
- Re: Nmap Online David Matousek (Nov 30)
- Re: Nmap Online Hans Nilsson (Nov 30)
- Re: Nmap Online David Matousek (Nov 30)
- Re: Nmap Online Hans Nilsson (Nov 29)
- Re: Nmap Online Hans Nilsson (Nov 28)