Re: [NSE] Raw ethernet frame questions and NSE library questions

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey kx,

On 02/03/2010 09:05 PM, kx wrote:
> I wanted to start with sending some ICMP packets, so if nothing
> exists, and I wanted to put functionality into a library, would it be
> best to try to extend packet.nse, or create icmp.nse? The same would
> go for ethernet.

Do you actually need to the ethernet frames?  Other than because Nmap trunk
requires it for raw sending?

I only ask because Marek used to have (a while ago obviously) a patch for raw
IP sending for NSE, but it never got into Nmap proper.  However, I recently
(less than 2 weeks ago) started a new set of changes, which differs from the
aforementioned patch, and placed them in

svn://svn.insecure.org/nmap-exp/kris/nse-rawip

It's not ready for trunk now, but it works nicely for me.  Though please let
me know if I broke something :)

I used some pretty detailed commit logs, so it's all explained there.  I
didn't commit many times, so it's a short enough read.  But basically you use
ip_open(), ip_send() and ip_close() like the ethernet_* variety.

I also put in a IP ID sequence classifer script (used, for example, to test
for zombie suitability for use with -sI.  Nmap itself doesn't provide this
functionality at the scale NSE can do).  This is explained in the logs as
well.  You can take a look at how the script works, and test with that script
too.  As you can see in the script, it could use a better method for building
the packet, like you're suggesting ;)

I bring all this up because if you like it and find it useful then hopefully
it can get into trunk in one form or another.  If NSE is going to support raw
packet sending and receiving, it should provide something at a higher (i.e.
better) level than ethernet.  Having ethernet sending is great, but not if
it's the only option.

The only problem is right now it doesn't work on machines with broken raw
sockets (the Windows).  However that should be a matter of recognizing this
and trying to use ethernet anyway, if supported (but see my log message for
more).  I just have to add this fallback to my branch.  I remember you sending
patches for Windows before, but hopefully you can give this a try on a
different OS until I can add this stuff.  Otherwise I might've just wasted our
time ;)

> Cheers,
>   kx

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJLavyaAAoJEEQxgFs5kUfutKAQAL+YJ3y3Qtswni8vyhZl0pC5
nIgZlyKBDpk9yXY+fFHXNgOnkv4tyEhmEdhEXN7yJXjBsD/4IYZLEYvmhgE3P2IK
2RzOlmnyKDmbVI9F52XK+5yHhXH1XfVWh8sORnuhUwof97FIMEA1jOfhfnz+NIP1
WyfQnIjp0JYi+2NC6iVlvvVKJLgsTxIlcoididyck18i0wmxlvYyE+QePbCEC/ms
JevJUq1oglNH5OdaUdLFha0CAKFjqA3RIl24EvPgS+G9RsjV6ykUfXL6CmlTw33y
WeMQWV/lw+GCKWJleflIDUZQwBaLuXXMiRkhSRPo+7LfP2v59USpMIaovGqhl5EW
cda5N3s8b5Cex/gASn2WZGJBoo2YWIt+30V7h90NoqG36imlTHNt+DxKjZcpJA+V
YKpVhkEM/Y7+FRGxP/f8CLwsFhNpthSi54NZ+kQosMKL0OK3Z0lUniTnZC+eyY8m
JJX6N5k7zG4JqMMK6/3tlkXJI2eLXBW+hSZtj8/anzMXHF3A+PaNtpJroPtD7MMI
DFZaVrw6xSqnpZvZX+yVAU1EinENgyZl6ziIljW1Xss83Ylt6tAwApGMSD0+sC9+
h/hiNzV5e3NFFx5/S2IX6odQPdgVL/clphuUjQWcfUFZkFGZy3oieKC0kfKjZ/q9
VXyrZ/4b0RcKdwnKEgD0
=pXFW
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/