Nmap Development mailing list archives
Re: new script tcp-connect.nse
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Wed, 20 Jun 2012 23:44:39 +0300
Would it make sense for the Lua packet matching library to support the same format we are using for version detection match lines? On Wed, Jun 20, 2012 at 11:30 PM, Hani Benhabiles <kroosec () gmail com> wrote:
On 06/20/2012 08:56 PM, Toni Ruottu wrote:Fair enough. Feedback is good. It might look too much like an error message at the moment. I do not know how to improve it though. On Wed, Jun 20, 2012 at 5:31 PM, David Fifield <david () bamsoftware com> wrote:On Tue, Jun 19, 2012 at 08:52:38PM +0300, Toni Ruottu wrote:On Tue, Jun 19, 2012 at 8:25 PM, David Fifield <david () bamsoftware com> wrote:On Sun, Jun 10, 2012 at 03:12:32PM +0300, Toni Ruottu wrote:I wrote a new script last week. It connects to a tcp service to make sure the port is really reachable. There are a few use cases for this script. - The user runs a TCP SYN scan, and wants to separate oaks from apples. Which open ports are really open, and which ones are merely open in the firewall? - The user runs a TCP connect scan against a firewall that sometimes randomly fakes open ports. The second connect done by the script will fail. - The user scans a service which crashes after the scan reports it to be open, and all other scripts fail to connect information from that port. - The user scans a load balancer where the initial scan accidentally hits a server that has an open port that its siblings are lacking. First I thought this script would be too heavy for the default category as it runs against most services. However, it would typically never produce output when other scripts do. If both this one and some other script produces output, that is something the user might want to know. Also, if the user is running a script scan, it must at least be ok to do full connections to the ports, so I think it should be ok to run this script if the user asks for both -sS and -sC. Finally, open ports not being open sounds generally like a useful thing to know.This is an interesting idea. I don't think that it should be default. If I were going to do this, I think I would just use -sV --version-light. The services that can't be connected to will be "tcpwrapped".Ok. Feel free to remove default from categories.I don't plan to add this script unless someone else speaks up. David Fifield_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/Hi Toni, This is not really specific to this script but seeing it gives me some not clear yet ideas like adding the possibility of sending a user defined payload and looking for user defined patterns in the response (size, regex/hard matching etc...) notifying the user when there is a match. (Basic example for the sake of demonstration of what tcp-payload may look like) Say that I have some HTTP exploit and a target that is vulnerable would return a 500 response. A user could put the HTTP request in a file and choose something like "500 Internal Server Error" and specify them in script args. When a match occurs, a simple output is provided for that port. Although you can write such scenarios with few efforts in NSE, this may prove to be a swiss army knife for users that don't have strong Nmap scripting knowledge or just want to rapidly prototype some PoC / detection mechanisms while benefiting from Nmap's awesome network discovery and scanning abilities especially when scanning large networks. With enough parameters that the user could change, such a script could be very popular. Of course supporting binary payloads / response matching would be a must to make such a script useful. These are just unstructured ideas at the moment. I would happily work on this if someone finds this interesting and could add any remarks. :) Cheers, Hani. -- Hani Benhabiles Twitter: https://twitter.com/#!/kroosec Blog: http://kroosec.blogspot.com
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- new script tcp-connect.nse Toni Ruottu (Jun 10)
- Re: new script tcp-connect.nse David Fifield (Jun 19)
- Re: new script tcp-connect.nse Toni Ruottu (Jun 19)
- Re: new script tcp-connect.nse David Fifield (Jun 20)
- Re: new script tcp-connect.nse Toni Ruottu (Jun 20)
- Re: new script tcp-connect.nse Hani Benhabiles (Jun 20)
- Re: new script tcp-connect.nse Toni Ruottu (Jun 20)
- Re: new script tcp-connect.nse Toni Ruottu (Jun 19)
- Re: new script tcp-connect.nse David Fifield (Jun 19)