Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Thoughts on script documentation

From: Ron <ron () skullsecurity net>
Date: Thu, 18 Nov 2010 07:48:10 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This makes me think of another feature I've talked about before but that nobody's taken the reins on: the ability to 
update scripts without updating Nmap. 

Telling people to "download the svn" to get the newest scripts isn't always realistic, especially with Windows users, 
and stable builds can be months apart. Having the ability to download the newer nselib/script files in some way would 
be handy. 

Of course, talking about it doesn't help. Somebody needs to actually *do* it. 

Ron

On Wed, 17 Nov 2010 22:42:47 -0600 Daniel Miller <bonsaiviking () gmail com> wrote:

Hi, list,

This forwarded conversation got me thinking, should there be a
"minimum version" for scripts? To sum up, the wdb-version script I
wrote requires a line in nmap-rpc, which is not documented anywhere,
but that was added in the same revision as the script itself. Other
scripts rely on features or configs that are not present before a
certain revision. Should this be documented for those who download the
script from the NSE doc site?

Dan

---------- Forwarded message ----------
From: John Larson <jlarson () qualys com>
Date: Wednesday, November 17, 2010
Subject: Questions about nmap wdb-version script
To: Daniel Miller <bonsaiviking () gmail com>


Hi Daniel,

I got it working finally (see below).  Is the fact that the line

wdb        1431655765    # Wind River Debugger (VxWorks)

is required in nmap-rpc for the wdb-version script to work documented
anywhere ??

This key info isn't documented either in the comment section of your
script, or on http://nmap.org/nsedoc/scripts/wdb-version.html.

Thanks,
John

-----------------------------------------------------
sudo nmap -sU -p 17185 --script wdb-version 10.10.31.45

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-11-17 12:49 PST

Nmap scan report for 10.10.31.45
Host is up (0.0025s latency).
PORT      STATE SERVICE
17185/udp open  wdb
| wdb-version:
|   VULNERABLE: Wind River Systems VxWorks debug service enabled. See
http://www.kb.cert.org/vuls/id/362332
|   Agent version: 2.0
|   VxWorks version: 5.4
|   Board Support Package: i-2-eye DVC1000 - ARM9TDMI _  Boot line:
|wingnut:KauriCore

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds


-----Original Message-----
From: Daniel Miller [mailto:bonsaiviking () gmail com]
Sent: Wednesday, November 17, 2010 11:12 AM
To: John Larson
Subject: Re: Questions about nmap wdb-version script

John,

It will work with the latest subversion build, see
http://nmap.org/book/install.html#inst-svn

The latest development release, 5.35DC1, still does not have the
updated nmap-rpc file. The script should still work, though, if you
edit your nmap-rpc file to contain the line I mentioned, or download
the latest one directly from http://nmap.org/svn/nmap-rpc

Dan

On 11/17/2010 11:26 AM, John Larson wrote:

Daniel,

If I interpret your message correctly, things should work ok with a
normal install of the latest version of nmap ?   If so, I will just
download a new version and try again.

Seems like there might be a bug in the script since this was a
silent failure. It would have been very helpful to me if the script
could have raised an error message rather than silently failing to
work.

Thanks,
John



On Wed, Nov 17, 2010 at 7:56 AM, Daniel
Miller<bonsaiviking () gmail com>

wrote:



John,

The problem is that the script requires an entry in the nmap-rpc
file,

like

so:

wdb        1431655765    # Wind River Debugger (VxWorks)

This change is included in the svn revision that added the script

itself.

Since you are running 5.21, without this line, the script does not
run,

so

the packets you are seeing are just nmap's null probes to
determine if

the

port is open or not.

Another note, since some devices do not respond to pings, even
Nmap's default "ping" sequence, I use the -Pn (skip host
discovery) flag when scanning for a single port, since if the host
won't respond to that

port, I

don't care if it is up or not. This can actually slow down a UDP
scan,

since

no reply is interpreted as open, but for this particular script, it

only

adds one additional UDP packet and timeout.

Dan


On 11/16/2010 08:54 PM, John Larson wrote:

Daniel,



Below is all the data for the Metasploit and nmap runs (incl.
actual wdb-version script being run) with wireshark data captures
attached



Metasploit command output



msf auxiliary(wdbrpc_bootline)>  use
auxiliary/scanner/vxworks/wdbrpc_version

msf auxiliary(wdbrpc_version)>  set RHOSTS 10.10.31.45/32

RHOSTS =>  10.10.31.45/32

msf auxiliary(wdbrpc_version)>  set RHOST 10.10.31.45

RHOST =>  10.10.31.45

msf auxiliary(wdbrpc_version)>  run



[*] 10.10.31.45: 5.4 i-2-eye DVC1000 - ARM9TDMI wingnut:KauriCore

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(wdbrpc_version)>





nmap command output



sudo nmap -sU -p 17185 --script-trace --script wdb-version
10.10.31.45



Starting Nmap 5.21 ( http://nmap.org ) at 2010-11-16 18:40 PST

NSOCK (0.3310s) nsock_loop() started (timeout=50ms). 0 events
pending

NSE: Script Scanning completed.

Nmap scan report for 10.10.31.45

Host is up (0.0023s latency).

PORT      STATE         SERVICE

17185/udp open|filtered wdbrpc



Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds










_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)

iEYEARECAAYFAkzlLp4ACgkQ2t2zxlt4g/SbXACg0Qtg5sw4dOwtfqhJU8T89Jkr
mB0AoILiIUB7+7I3PPhxH6iVkgbm5b/S
=a1Vn
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: