Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Idea: ssh-netstat.nse and adding columns to output

From: Jacek Wielemborek <d33tah () gmail com>
Date: Sun, 28 Sep 2014 14:06:31 +0200
List,

I recently had this thought that it should be relatively easy to
implement OS-specific local-netstat.nse that would just run "netstat
-l", see what ports should be open and compare it to the results of
scanning one of local IPs in order to test for rootkits/learn firewall
rules. This could also be implemented using the new SSH library and thus
make it a remote script as well (I can see that there's already a
similar script for SNMP).

And then I thought of how would I expect the output to look like and I
realized that we could use a new piece of output functionality for that.
What I'm thinking about is a way to add a new column to the port
scanning output, so instead of:

PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
111/tcp  open  rpcbind
631/tcp  open  ipp
9050/tcp open  tor-socks

Host script results:
| local-netstat.nse:
|_tcp        0      0 0.0.0.0:111             0.0.0.0:*
LISTEN
|_tcp        0      0 192.168.121.1:53        0.0.0.0:*
LISTEN
|_tcp        0      0 192.168.122.1:53        0.0.0.0:*
LISTEN
|_tcp        0      0 0.0.0.0:22              0.0.0.0:*
LISTEN
|_tcp        0      0 127.0.0.1:631           0.0.0.0:*
LISTEN
|_tcp        0      0 127.0.0.1:25            0.0.0.0:*
LISTEN
|_tcp        0      0 127.0.0.1:9050          0.0.0.0:*
LISTEN
|_tcp        0      0 127.0.0.1:2812          0.0.0.0:*
LISTEN
|_tcp6       0      0 :::111                  :::*
LISTEN
|_tcp6       0      0 ::1:631                 :::*
LISTEN

We could switch to:

PORT     STATE  SERVICE   NETSTAT
22/tcp   open   ssh
25/tcp   open   smtp
111/tcp  open   rpcbind
631/tcp  open   ipp
2812/tcp closed atmtcp    open
9050/tcp open   tor-socks

Of course one could argue that in this particular case it would be
better to just change local-netstat.nse's output to just mention the
differences, but still there are quite a lot of cases (version
detection?) where this feature could be useful.

So, what do you think?

Jacek

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: