Nmap Development mailing list archives
Least Privileges for NMAP
From: starlight.2012q3 () binnacle cx
Date: Wed, 12 Sep 2012 12:18:39 -0400
Hello, I recently started experimenting with the -A option and have an observation. It's clear that -sC scripts are numerous, complex and buggy. Seems probable that blackhats will take advantage of this and write exploits designed to inject malware into systems scanning their hosts with 'nmap -A'. In keeping with this I am now issuing chown nobody:nobody nmap chmod ug+s nmap setcap cap_net_raw+ep nmap and adding the --privileged option to the 'nmap' command line. It works well and greatly reduces the likelihood of a 'nmap' exploit successfully infecting the system where 'nmap' is run. It would be fairly straightforward to have 'nmap' natively issue system calls to produce the same least-privilege state as the above commands. I suggest that this be implemented. The semantics of Linux capabilities changed somewhat in 2.6.25 and this might require some conditional logic that refers to /proc/version. Perhaps it would make sense to make use of the Google Chrome sandbox when 'nmap' is run under Windows, though I imagine adding the feature would be a large effort. Thanks for the great software! Regards _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Least Privileges for NMAP starlight . 2012q3 (Sep 12)