Re: Summer of Code Script Ideas

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Nelson,

I think this post gets down to an underlying need for solid math and
cryptographic routines in order to interact with many network protocols.

I do most of my network work in perl and I regularly find myself doing
at least one of:

use Crypt::OpenSSL::Bignum;
use Digest::MD5 qw(md5);
use Digest::HMAC qw(hmac);
use Crypt::Random qw(makerandom);
use String::CRC;

Now I don't know if lacking these routines is really holding up any
script writing, but at some point it is going to.  I don't know
enough about how IPSEC/IKE is implemented to know if large numbers and
crypto routines are needed or not but I suspect that they are.

Since the focus of NSE is manipulating networking protocols, I suspect
most script writers find themselves searching for the same things.
Here are a list of questions I suspect many had or still have:

* How does one manipulate binary strings in Lua?  Can "\x00" be done?
How about for octal and decimal?

* How does one easily go from network byte to host byte order?  Does it
even matter?  If I have the string "\x00\x80" how do I turn that into
the number -32768?

* Is there the equivalent of perl's pack() and unpack() routines?

* Is a C-like byte array preferred to a perl-like packed scalar?


It would really be neat to see a SoC project put together "A network
and protocol hacker's guide to NSE/Lua".  This could be a series of Lua
FAQs like the one above and sample scripts that demonstrate techniques
and how do do things in Lua.

The Lua documentation is out there for this sort of thing but it isn't
targeted at any one task.  A documentation roundup with a focus on bits
and bytes on the network would be really valuable.

Brandon


On Wed, 26 Mar 2008 16:31:56 -0500
Nelson <komseh () gmail com> wrote:

> I'd like to see a script that attempts to fingerprint VPN devices
> based on their handshake and vendor ID responses from the IKE
> service(port 500/udp). As we all know it is difficult to identify
> most UDP services ports as "open", so this service often goes
> unnoticed in pentests.  I would even be happy with a script that
> confirms that an IKE service is responding on the host.  Here are
> some responses from common VPN devices:
> http://www.nta-monitor.com/wiki/index.php/IKE_Implementation_Analysis
>
> I'm also interested in a script that would identify if a DNS server is
> vulnerable to cache snooping.  I also second the ideas for
> SMB/Netbios and SNMP.
>
> On Fri, Mar 21, 2008 at 1:11 AM, Z <shasbot () gmail com> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hey, I am planning on applying to Nmap's summer of code project,
> > specifically to develop NSE scripts. I was wondering what scripts
> > people would find useful that are not currently out there, so I
> > figure this would be a good place to get in touch with. I will
> > likely ask around on some ethical hacking forums and the like too,
> > just checking around to see what the demand is from the users.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.6 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFH41F6cbq6yPGNLfMRAmijAJwN/z8b+hnhanFRxjQMTjW9Oq5tGwCdGvRN
> > jNSPPboR4Cs6MvN8I0cK0es=
> > =feV7
> > -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFH6uivqaGPzAsl94IRAnOAAKCpp0ta6lWukqq3ILHQ37g8LOzE9QCfelfa
B1BQWgzEs3lgKwohwhpxOio=
=da/y
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org