Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...)

[kx <kxmail () gmail com>]

Misclicked send:

The rest of the snippet was:

action = function(host)
        math.randomseed( os.time() )
        local sock = nmap.new_dnet()
        local port = nmap.registry[host.ip]['junk']
        local tcp = genericpkt(host, port, 1500)

        sock:ip_open()

        sock:ip_send(tcp.buf)
        sock:ip_close()

And I reused Kris's getport, setreg, and hostrule as I only needed a
single open port as well for the script I am playing with.

I am not even capturing responses yet, just looking at them in Wireshark.

Sorry if this doesn't help much. I never got my VMs up and running,
but if I get time, that will give me other interfaces and routes to
play with.

Cheers,
  kx


On Wed, Feb 17, 2010 at 9:37 PM, kx <kxmail () gmail com> wrote:
> > About Windows support: Have you (or anyone) tested raw sending to a
> > non-Target? How are you testing this generally? If you have even just a
> > short script snippet, that is fine.
>
> I have a script I have been toying with for this, and just tested it.
>
> Windows XP SP3 on a wireless LAN. Sadly only one route right now.
>
> nmap -sS -p 80 --script=junk.nse google.com
>
> For testing, I sent a custom TCP SYN to port 80 on 192.168.1.1
>
> It worked fine, but the only issue is the route/interface to
> 192.168.1.1 is the same as the route/interface to the target host
> (google.com).
>
> As for how I have been testing for packet sending, I am using the same
> code as Kris (please ignore my ugly modifications, I haven't
> generalize the payload code - thus the A fill right now).
>
> -- I mooched off of Marek's RR script for some of the following functions
> -- (I split them into separate functions and redid them a bit).
> checksum = function(tcp)
>        tcp:tcp_count_checksum(tcp.ip_len)
>        tcp:ip_count_checksum()
> end
>
> newtcpseq = function(tcp)
>        tcp:tcp_set_seq(math.random(1, 0x7fffffff))
> end
>
> newtcpsport = function(tcp)
>        tcp:tcp_set_sport(math.random(0x401, 0xffff))
> end
>
> genericpkt = function(host, port, totlen)
>        local pkt = bin.pack("H",
>                "4500" .. -- IPv4, len 5, dif serv 00
>                "0000" .. -- total len
>                "abcd" .. -- ip id
>                "4000" .. -- DF set
>                "8006" .. -- TTL 128, proto TCP
>                "0000" .. -- checksum
>                "0000 0000" .. -- src ip
>                "0000 0000" .. -- dst ip
>                "0000" .. -- tcp src port
>                "0000" .. -- tcp dst port
>                "0000 0000" .. -- seq #
>                "0000 0000" .. -- ack #
>                "5002" .. -- hdr len 20, SYN
>                "0c00" .. -- win size 3072
>                "0000" .. -- tcp checksum
>                "0000" -- urg pointer
>        )
>        pkt = pkt .. string.rep("A", (totlen - 40))
>        local tcp = packet.Packet:new(pkt, pkt:len())
>
>        tcp:ip_set_len(totlen)
>        tcp:ip_set_bin_src(host.bin_ip_src)
>        tcp:ip_set_bin_dst(host.bin_ip)
>        tcp:tcp_set_dport(port)
>
>        newtcpsport(tcp)
>        newtcpseq(tcp)
>
>        checksum(tcp)
>
>        return tcp
> end
>
> Then down in the main:
>
> action = function(host)
>        math.randomseed( os.time() )
> local sock = nmap.new_dnet()
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/