Nmap Development mailing list archives

Re: [NSE] NTP info gathering script...

From: Richard Sammet <richard.sammet () googlemail com>
Date: Mon, 14 Dec 2009 18:55:31 +0100

Hi David,

On Sun, Dec 13, 2009 at 12:46 AM, David Fifield <david () bamsoftware com> wrote:
...

* As a consequence of the above, short timeouts are no longer required,
 so I removed the timeout code to just use the defaults.

...

well, it looks like this was a bad idea ;) I performed some extensive
tests with the version you checked in to the trunk and I noted that
the script now "blocks" the hole scan if no data is returned by the
ntp server while waiting for the default timeout value which is -
obviously - to long.

The benchmarks:

command and options: ./nmap -sU -p 123 --script=ntp-info
XXX.XXX.72.0/24 XXX.XXX.12.0/24 --open -n -T5 --max-hostgroup 128
--max-retries 1 -vvv -PN

Script with default timeouts (version from trunk):

result: Two NTP services identified and fingerprinted.

123/udp open  ntp
|_ntp-info: receive time stamp: Mon Dec 14 18:33:59 2009
...
123/udp open  ntp
| ntp-info:
|   receive time stamp: Mon Dec 14 18:18:51 2009
|   version: ntpd 4.2.4p4@1.1520-o Wed May 13 21:06:31 UTC 2009 (1)
|   processor: x86_64
|   system: Linux/2.6.24-24-server
...
Nmap done: 512 IP addresses (512 hosts up) scanned in 1640.67 seconds
           Raw packets sent: 1021 (77.596KB) | Rcvd: 22 (1608B)



Script with modified timeouts:

result: Two NTP services identified and fingerprinted (same like above).

123/udp open  ntp
|_ntp-info: receive time stamp: Mon Dec 14 18:06:32 2009
...
123/udp open  ntp
| ntp-info:
|   receive time stamp: Mon Dec 14 18:05:56 2009
|   version: ntpd 4.2.4p4@1.1520-o Wed May 13 21:06:31 UTC 2009 (1)
|   processor: x86_64
|   system: Linux/2.6.24-24-server
...
Nmap done: 512 IP addresses (512 hosts up) scanned in 65.72 seconds
           Raw packets sent: 1020 (77.520KB) | Rcvd: 18 (1232B)


Well, a quick look at the total scan time shows the huge difference:
1640.67 seconds (with default timeout) vs. 65.72 seconds (with timeout
respecting the global timeout settings)

Please find the patched version attached.


Greetings,
Richard

Attachment: ntp-info.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] NTP info gathering script..., (continued)
- Re: [NSE] NTP info gathering script... Matt Selsky (Nov 29)
  - Re: [NSE] NTP info gathering script... Richard Sammet (Nov 30)
    - Re: [NSE] NTP info gathering script... Richard Sammet (Nov 30)
    - Re: [NSE] NTP info gathering script... Matt Selsky (Nov 30)
    - Re: [NSE] NTP info gathering script... Richard Sammet (Dec 01)
    - Re: [NSE] NTP info gathering script... David Fifield (Dec 12)
    - Re: [NSE] NTP info gathering script... Richard Sammet (Dec 12)
    - Re: [NSE] NTP info gathering script... Richard Sammet (Dec 12)
    - Re: [NSE] NTP info gathering script... David Fifield (Dec 12)
    - Re: [NSE] NTP info gathering script... Richard Sammet (Dec 13)
    - Re: [NSE] NTP info gathering script... Richard Sammet (Dec 14)
    - Re: [NSE] NTP info gathering script... David Fifield (Dec 21)
- Re: [NSE] NTP info gathering script... Ron (Dec 21)