Nmap GSoC 2013 Success Report

[Fyodor <fyodor () nmap org>]

Hi Folks.  I'm pleased to report the successful completion of our 9th
Google Summer of Code!  And for only the fourth time ever, all of our
students passed!  Admittedly we had a small crop this year, but all
three accomplished major feats.  Most of their work has already been
integrated into Nmap 6.40 or our source code repository for the next
release.  Let's look at their accomplishments individually:

 *George Chatzisofroniou* spent the whole summer working with Patrick
Donnelly enhancing Nmap's web scanning capabilities.  We've already
integrated 13 of his NSE scripts.  They span the gamut from detecting
CSRF, XSS, and file upload vulnerabilities to detecting the
development framework used on a given web site and collecting all the
HTML comments hidden on pages sitewide.  We now have more than 450
scripts total and all are documented at http://nmap.org/nsedoc/!

*Jacek Wielemborek* worked with David Fifield in adding Lua scripting
support to Ncat. This complements Nmap's Scripting Engine (NSE) which
has already proven a huge success (see the previous paragraph!).  The
first feature is the new --lua-exec option in Nmap 6.40.  It is
similar to the existing --exec and --sh-exec options in that Ncat runs
a specified program and redirects its input and output to a network
socket.  But with those other options you need an executable or
shell/batch script which means they aren't portable and often have
extra dependencies.  Lua-exec uses the same build-in Lua interpreter
as Nmap so your scripts will work on Linux, Windows, Mac and more.
Jacek's second major feature is a Lua "socket abstractions" system
which allows you to control how Ncat does sends and receives using Lua
code.  Abstractions allow easy implementation of features like
transformation of data traffic or even support new protocols that
aren't supported by Ncat's core engine.  This feature isn't yet
merged, but it's working in our nmap-exp tree and we're very excited
about it.

*Yang Luo* worked with Fyodor on low-level Windows programming to help
bring Nmap's performance on that platform closer to parity with our
UNIX support.  His largest accomplishment was porting WinPcap from
Microsoft's deprecated NDIS 5 framework to the newer Windows Filtering
Platform (WFP).  See http://seclists.org/nmap-dev/2013/q3/591 for
pointers to the code and executables.  The new system offers better
performance and will continue to work if and when Microsoft
discontinues NDIS5.  We have offered these changes to the WinPcap
developers in the hope they will be merged upstream.  Yang's other
project was finding a way to send raw packets to localhost on Windows.
 This hasn't worked in Nmap ever since Microsoft pulled the rug out
from under us by disabling raw sockets in Windows XP SP2.  The good
news is that Yang found a way to do this (also using WFP,
incidentally) and he produced proof of concept code that you can find
it in nmap-exp/yang in our SVN tree.  We hope to incorporate this into
Nmap so people can their own system on Windows just as easily as they
can scan other hosts on the LAN or the Internet.

Great work, guys!  Both students and mentors deserve a round of
applause!  And so does Google for making all of this possible!  They
have spent tens of millions of dollars sponsoring thousands of
students to work on hundreds of open source projects.  Nmap by itself
has mentored 62 SoC students in the last 9 years and some continue as
top Nmap developers to this day.  If you enjoy Zenmap, the Nmap
Scripting Engine, Ncat, Nping, or Ndiff, you're using features
developed in a large part by previous Summer of Code students!

Cheers,
Fyodor

PS: For those who are interested, here are our previous success (pass)
rates and wrap-up reports:
2013 (3/3 - 100%): [this report]
2012 (4/5 -  80%): http://seclists.org/nmap-dev/2012/q4/138
2011 (7/7 - 100%): http://seclists.org/nmap-dev/2012/q1/542
2010 (8/8 - 100%): http://seclists.org/nmap-dev/2011/q1/708
2009 (6/6 - 100%): http://seclists.org/nmap-dev/2009/q4/148
2008 (6/7 -  86%): http://bit.ly/googleblognmap
2007 (5/6 -  83%): http://seclists.org/nmap-dev/2007/q4/24
2006 (8/10 - 80%): http://seclists.org/nmap-dev/2007/q1/235
2005 (7/10 - 70%): http://slashdot.org/comments.pl?sid=183143&cid=15133184

PPS: Since it is Halloween in my time zone, here is an ASCII witch
enthusiastically riding a broomstick:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;-' ___      '-;;;;;;;;;;;;;;;;
;;;;;;;;;;;;-'    `'-.`'-.      '-;;;;;;;;;;;;
;;;;;;;;;;'           )   `\       ';;;;;;;;;;
;;;;;;;;'            /      \   ^V^  ';;;;;;;;
;;;;;;;           __/________\__       ;;;;;;;
;;;;;;  ^V^      '--/}}}}}}"}}--'       ;;;;;;
;;;;;              {{{{{{  aa\__         ;;;;;
;;;;;              }}}}} ,___ __}        ;;;;;
;;;;;             {{{{{\  \_//           ;;;;;
;;;;;              }}}}//'--u            ;;;;;
;;;;;        _     .--'`U\               ;;;;;
;;;;;   ::::| \   (   _,\\\              ;;;;;
;;;;;;  ::::|  |===\  \\=\))=======D    ;;;;;;
;;;;;;; ::::|_/     `> \\              ;;;;;;;
;;;;;;;;.           /__//            .;;;;;;;;
;;;;;;;;;;.         Y\_\\_         .;;;;;;;;;;
;;;;;;;;;;;;-._                _.-;;;;;;;;;;;;
;;;;;;;jgs;;;;;;-.          .-;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[ from http://www.geocities.com/SoHo/7373/haloween.htm ]
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/