Nmap Development mailing list archives
Re: IPMI scripts (ipmi-version.nse and ipmi-cipher-zero.nse)
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 18 Jul 2014 20:05:03 -0500
Claudiu, Thanks for tackling this! I'm looking forward to trying the scripts out. For now, here are some lua-isms that could help your code: 1. You're missing 'local string = require "string"' on all files, and the same for "math" in ipmi.lua. 2. Instead of wrapping string.char for the c() function in ipmi.lua, you can just assign: local c = string.char 3. Most of the use of the c() function can be replaced by literal strings. For instance: table.concat({ c(0x13), c(0x37) }) is the same as "\x13\x37". You can even reduce it farther (adding a little runtime complexity, though) by using: bin.pack("H", "1337") 4. In general, bin.pack ought to replace your use of concatenation (table.concat or the .. operator) in most cases. It can take an arbitrary number of arguments, and literal strings can be included with the "A" format specifier. 5. Use the "p", "P", and "a" format specifiers for length-prefixed strings instead of the # operator and concatenation. 6. For bitwise flag checking, why not do: data["ipmi_compat_20"] = bit.band(value, 0x10000000) instead of rshifting the value before bit.band with 1? 7. You should replace stdnse.print_debug with the new stdnse.debug function that Devin added recently (http://nmap.org/nsedoc/lib/stdnse.html#debug) which automatically puts the script name into your output. 8. In ipmi-version, you use tables to hold possible multiple values for a particular key, then join the values with commas when you assign them to the key. A better way is to just assign the whole table to the key, because that preserves the separate elements into the XML output. Example: current XML: <elem key="UserAuth">password, md5, md2</elem> New code: local commasep = {__tostring = function(t) return table.concat(t, ", ") end} setmetatable(UserAuth, commasep) output["UserAuth"] = UserAuth new XML: <table key="UserAuth"> <elem>password</elem> <elem>md5</elem> <elem>md2</elem> </table> Normal output will be unchanged (btw, your @output section doesn't have the commas after the spaces) 9. Add an @xmloutput section to the scripts. 10. Does Nmap's service version detection handle this service very well? or at all? Ideally, we will want a service version match for an existing probe, but if we need to, we can probably come up with a new probe to elicit a response. If the service will not give a response to an empty UDP packet, then we should add something to nmap-payloads, too. Then your portrule can be upgraded from shortport.portnumber to shortport.port_or_service (or shortport.version_port_or_service for ipmi-version, if the version detection probe doesn't get a good enough response). I hope this wasn't too overwhelming, but I think these improvements will help you create better scripts in the future, too. A big part of NSE is learning the Lua dialect, which includes all the API stuff and libraries that we have available. In the end, it should save you some work over trying to force plain Lua to do the job (case in point: bin.pack). Dan On Fri, Jul 18, 2014 at 2:50 PM, Claudiu Perta <claudiu.perta () gmail com> wrote:
Hi devs, As a follow-up to the last meeting with my mentor, I've been working on porting some of the IPMI modules[1] from Metasploit to nmap. So far, I implemented the protocol (ipmi.lua) and two scripts 'ipmi-version.nse', and 'ipmi-cipher-zero.nse': the first one does basic IPMI host information discovery, while the second identifies the cipher-zero vulnerability in IPMI 2.0 compatible systems. I tested both scripts on OpenIPMI simulator (v1.0.13) and they seem to work fine. Cheers, Claudiu [1] https://secwiki.org/w/Nmap/Script_Ideas#ipmi-version.2C_ipmi-cipher-zero.2C_ipmi-dump-hashes.2C_ipmi-user-brute_etc . _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- IPMI scripts (ipmi-version.nse and ipmi-cipher-zero.nse) Claudiu Perta (Jul 18)
- Re: IPMI scripts (ipmi-version.nse and ipmi-cipher-zero.nse) Daniel Miller (Jul 18)