Nmap Development mailing list archives
Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 13 Jun 2010 08:56:56 +0200
On 13 jun 2010, at 03.27, Djalal Harouni wrote:
Hi Richard, First sorry for the delay, I've merged the script you can update your svn copy (r18083 and r18084). The new output of the script: -- PORT STATE SERVICE -- 111/tcp open rpcbind -- | nfs-ls: -- | Arguments: -- | maxfiles: 10 (file listing output limited) time: mtime -- | -- | PERMISSION UID GID SIZE DATE FILENAME -- | -- | NFS: drwxrwxrwx 0 0 4096 2010-06-12 12:55 /tmp -- | srwxr-xr-x 0 0 0 2010-06-12 11:34 wpa_ctrl_22880-1 -- | -- | NFS: drwxr-xr-x 1000 100 4096 2010-06-11 22:31 /home/storage/backup -- | -rw-r--r-- 1000 1002 0 2010-06-10 08:34 filetest -- | drwx------ 1000 100 16384 2010-02-05 17:05 lost+found -- | drwxrwxr-x 1000 100 4096 2010-06-11 19:08 net_packet -- | -rw-r--r-- 0 0 5 2010-06-10 11:32 rootfile -- |_ lrwxrwxrwx 1000 1002 8 2010-06-10 08:34 symlink Changes: o Default time is mtime (modified time) o A new argument: nfs-ls.human to show the files size in the human readable format. o The output is formated in tables thx to the tab library.
I just did a quick test of the script and it looks great! Nice work!
On 2010-06-10 14:23:54 -0500, Richard Miles wrote:Hello Very interesting this plugin. Is it part of the safe plugin? I mean, if I just call nmap -sC ip it will be executed? From the nmap page the -sC is equivalent to --script=default (defaultcategory), this script is in the "discovery" and "safe" categories but not in the default one, because: - Verbosity: it can produce lot of output. - Intrusiveness: trying to enumerate NFS shares for each host on the network can be seen as an attack. I think that this script should not be in the default category, it can use lot of NFS procedures.Talking about NFS I have a security doubt for a long time, maybe someone can clarify it for me. On NFS, if there is a exported directory to everyone we can access it, and if there are files of other users we can use this trick to bypass it http://www.vulnerabilityassessment.co.uk/nfs.htmWell, first you need to know that NFS has some security options. It's true that NFS Server bases it's acls on the uid and gid provided by the client and this is the point of NFS, and yes the "su - user" trick works. Here are some NFS options: - ro (readonly): even if it is the same uid on the server/client the file system will be exported readonly and we can write to it. - root_squash: to map uid 0 (root) of the client to the anonymous uid on the server. - all_squash: to map every uid to the nobody uid on the server. - anonuid, anongid: to specify the uid/gid of the anonymous user, but in another hand you are allowing read/write access to this uid/gid.But in a few cases, you see a exported directory to everyone and you mount it, but when you try list (ls) it says "access denied". There is something that can be done in this cases to bypass this restriction?perhaps you must check your uid/gid (client) and the permissions of the directory in the server that you want to list. You can check the exports manual: "man exports" Feedbacks are always welcome, thx.
If the server is running NFSv4 with kerberos authentication you would see this behavior. In those cases bypassing is not as simple. In addition to the options in the export file, access to portmap, nfs and it's subprograms can be blocked in the hosts.deny file. //Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r17816 - nmap-exp/djalal/scripts Fyodor (Jun 07)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Djalal Harouni (Jun 10)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Richard Miles (Jun 10)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Djalal Harouni (Jun 12)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Patrik Karlsson (Jun 12)
- Re: [NSE] nfs-ls script feedbacks Djalal Harouni (Jun 13)
- Re: [NSE] nfs-ls script new version Djalal Harouni (Jun 29)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Richard Miles (Jun 10)
- Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts Djalal Harouni (Jun 10)