Re: [NSE] Raw ethernet frame questions and NSE library questions

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/04/2010 04:09 PM, Fyodor wrote:
> On Thu, Feb 04, 2010 at 10:58:03AM -0600, Kris Katterjohn wrote:
> > I bring all this up because if you like it and find it useful then hopefully
> > it can get into trunk in one form or another.
>
> Sounds very interesting.  Be sure to keep us on nmap-dev informed of
> the status and progress of the system.  Your demonstration script
> (checking IPID sequence predictability) is a clever and useful one!

Thanks!

> > The only problem is right now it doesn't work on machines with broken raw
> > sockets (the Windows).  However that should be a matter of recognizing this
> > and trying to use ethernet anyway, if supported (but see my log message for
> > more).
>
> Why not use Nmap's existing functionality for sending IP packets
> (e.g. send_ip_raw() or, at a lower level, send_ip_packet())?  That way
> Nmap decides whether to send it on the raw device by building an
> ethernet frame or to use raw IP packets, based on the capabilities of
> the system (e.g. now raw sockets on Windows) and user options
> (--send-ip, --send-eth)?

Here's an excerpt from my log on this:

"I would have checked o.sendpref and all that to actually send over ethernet
if possible, but this assumes the socket will be used for only one target,
always use the same route, or some other case that's not guaranteed to be so.
Of course the issue of Windows still exists.  Ugh."

My initial idea here being that keeping one ethernet descriptor open might not
work since the socket may be used for different targets in one script, and the
targets may be through different routes and different devices.  However this
can be worked around with some checking, I just didn't get to it as I've been
pretty busy since I first committed it (and didn't personally have a need yet
since I didn't work on Windows for it).

> It does seem like NSE should be able to send raw packets.
>
> > I only ask because Marek used to have (a while ago obviously) a
> > patch for raw IP sending for NSE, but it never got into Nmap proper.
>
> I don't remember why it didn't.  Maybe there was a reason, or maybe it
> just fell through the cracks?  It is probably worth looking at again,
> though I don't know if it that old patch will still work with current
> Nmap.  Maybe Kris's new patch can bring out the best ideas from
> Marek's patch, plus Kris's own improvements.

I don't remember, but having this functionality would be a great plus.

> Cheers,
> -F

Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJLa031AAoJEEQxgFs5kUfuVlcP/0Q/AqHce3I0AOTLhnm0tJxh
UBicaLW8v40zjwXrqFBjEPJoviWVnAEGgmGl1jcr+fO0Ykj5RAER4f5O2BOA95Gw
sHAmRprZy2Zhv+sqUcYxtl80lzoM6ypMarXDMEWE8B6u/CFwBe2bgwEXidtLdNIX
oWI64VNSVSdOUKQcAZqWylQqmauUUG3rfQ+KYR7z2e+Fs6gn45H4H+29zGjpuT3Z
TJiJFF9OVYahP9GRBiM5zTqX8g1LLrXY/JqYXLU0AU6hyBP3FdXRPWh7sWKiNNd2
qNA59WBy/cwaMpa6ouZvnluEFqZRpKQxMi4qEXq3IIZN64zvAWE4K3sV2DcVNmZc
9WjqS5XIdXwsG1sXo50MzGrBfyalwJL19LtMRRCtlbOVJSSgNR2wmd0ow2IZbe3N
P1Xwd7kxfxi6wcmGxR641lv5hT2uhkgIUCZ41+mMMmXS0B7WyHHD6mfz36JF7flT
4eGiBlAYs9ch+R7B1+bf3hl1jI6oBYAcRIA1NCxVoUuTyagRX/UH6DZd0DTEdfBN
jMA4bPZidd9YyZvZyxFlHxJPBfwybg/r3o8AIBvbb8CASt1HbjS91Y42txb8K1YE
MP3gvDWV7JN4ThTMc2uxo2YedMhbv9YYFXFp1dmmcS9JseTyZMylurecyTxA7iyk
UCpZI0BEeV5MKgIbAcS0
=Mwei
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/