Re: new dependency in 5.61TEST4

On Tue, Jan 31, 2012 at 01:28:38PM -0800, David Fifield wrote:
> On Tue, Jan 03, 2012 at 10:02:27PM +0100, olli hauer wrote:
> > On 2012-01-03 16:39, DePriest, Jason R. wrote:
> > > Installing the new test release on
> > > Linux version 2.6.18-274.3.1.el5 (mockbuild <at> builder10.centos.org) (gcc
> > > version 4.1.2 20080704 (Red Hat 4.1.2-51)) #1 SMP Tue Sep 6 20:13:52
> > > EDT 2011
> > > 
> > > sudo rpm -vHU http://nmap.org/dist/nmap-5.61TEST4-1.x86_64.rpm
> > > Retrieving http://nmap.org/dist/nmap-5.61TEST4-1.x86_64.rpm
> > > error: Failed dependencies:
> > >         subversion-devel is needed by nmap-5.61TEST4-1.x86_64
> > > 
> > > I haven't needed subversion-devel for any other versions.
> > > 
> > > Is this a real needed dependency or just an oops?
> > > 
> > > Thanks,
> > > 
> > > Jason
> > 
> > 
> > $> configure --without-nmap-update ....
> > 
> > I run into the same issue...
> > Thats at the moment the only solution for me since nmap-update
> > has no additional configure parameters (like lua) so it does not
> > detect the right paths my libs and include files are stored.
> 
> Can you show me what your build output looks like when you don't use

Re: new dependency in 5.61TEST4

On 2012-02-01 01:40, David Fifield wrote:
> On Tue, Jan 31, 2012 at 01:28:38PM -0800, David Fifield wrote:
>> On Tue, Jan 03, 2012 at 10:02:27PM +0100, olli hauer wrote:
>>> On 2012-01-03 16:39, DePriest, Jason R. wrote:
>>>> Installing the new test release on
>>>> Linux version 2.6.18-274.3.1.el5 (mockbuild <at> builder10.centos.org) (gcc
>>>> version 4.1.2 20080704 (Red Hat 4.1.2-51)) #1 SMP Tue Sep 6 20:13:52
>>>> EDT 2011
>>>>
>>>> sudo rpm -vHU http://nmap.org/dist/nmap-5.61TEST4-1.x86_64.rpm
>>>> Retrieving http://nmap.org/dist/nmap-5.61TEST4-1.x86_64.rpm
>>>> error: Failed dependencies:
>>>>         subversion-devel is needed by nmap-5.61TEST4-1.x86_64
>>>>
>>>> I haven't needed subversion-devel for any other versions.
>>>>
>>>> Is this a real needed dependency or just an oops?
>>>>
>>>> Thanks,
>>>>
>>>> Jason
>>>
>>>
>>> $> configure --without-nmap-update ....
>>>
>>> I run into the same issue...
>>> Thats at the moment the only solution for me since nmap-update
>>> has no additional configure parameters (like lua) so it does not
>>> detect the right paths my libs and include files are stored.
>>

New VA Modules: NSE: 2, OpenVAS: 20, MSF: 5, Nessus: 23

This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nmap Scripting Engine scripts (2) ==

r27984 http-qnap-nas-info http://nmap.org/nsedoc/scripts/http-qnap-nas-info.html
Attempts to retrieve the model, firware version, and enabled services
from a QNAP Network Attached Storage (NAS) device.

r27985 voldemort-info http://nmap.org/nsedoc/scripts/voldemort-info.html
Retrieves cluster and store information from the Voldemort distributed
key- value store using the Voldemort Native Protocol.

== OpenVAS plugins (20) ==

r12558 103405 gb_vbseo_51647.nasl
http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/gb_vbseo_51647.nasl?root=openvas&view=markup
vBSEO 'proc_deutf()' Remote Code Execution Vulnerability

r12562 863707 gb_fedora_2011_16284_krb5_fc15.nasl
http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/gb_fedora_2011_16284_krb5_fc15.nasl?root=openvas&view=markup
Fedora Update for krb5 FEDORA-2011-16284

r12562 863705 gb_fedora_2012_0813_smokeping_fc15.nasl
http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/gb_fedora_2012_0813_smokeping_fc15.nasl?root=openvas&view=markup
Fedora Update for smokeping FEDORA-2012-0813

r12562 870533 gb_RHSA-2012_0071-01_php.nasl
http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/gb_RHSA-2012_0071-01_php.nasl?root=openvas&view=markup
RedHat Update for php RHSA-2012:0071-01

Re: ncrack RDP module and login dialogs/banners

On Mon, Jan 30, 2012 at 4:50 PM, Dewhirst, Rob <robdewhirst <at> gmail.com> wrote:
> Occasionally I would run into a host that would display this sort of
> progress trying to connect to a RDP server:
>
> rdp://10.10.10.10:3389 (EID 1) Attempts: total 0 completed 0 supported
> 0 --- rate 0.00
> rdp://10.10.10.10:3389 (EID 2) Attempts: total 0 completed 0 supported
> 0 --- rate 0.00
> rdp://10.10.10.10:3389 (EID 3) Attempts: total 0 completed 0 supported
> 0 --- rate 0.00
> rdp://10.10.10.10:3389 (EID 4) Attempts: total 0 completed 0 supported
> 0 --- rate 0.00
> rdp://10.10.10.10:3389 (EID 5) Attempts: total 0 completed 0 supported
> 0 --- rate 0.00
> rdp://10.10.10.10:3389 (EID 6) Attempts: total 0 completed 0 supported
> 0 --- rate 0.00
> rdp://10.10.10.10:3389 (EID 7) Attempts: total 0 completed 0 supported
> 0 --- rate 0.00
>
> It looks like this is what happens when the RDP server displays a
> welcome message/banner dialog box prior to a login dialog. Tsgrinder
> seems to be aware of the issue and says it is not affected.
>
> Any workaround for this that I missed?

Hello, this is indeed a lack of the RDP module's capacity to
understand that there is a login banner.
As of now, there is no known workaround, until it gets fixed.
Regards,
ithilgore

Re: [NSE] Sketch for XML/HTML parsing API

On Thu, Jan 19, 2012 at 12:08:53PM +0200, Lauri Kokkonen wrote:
> Hi,
> 
> First off, I am a student inspired by the possible GSOC money opportunity :P
> 
> I have come up with a sketch for XML/HTML parsing API. The idea is to have a
> method next() that returns the next bit of XML (start tag, attribute name,
> etc) from the input string. Along with next() there is state information for
> keeping track whether we are inside a tag or between tags (basically).
> 
> Then we could build a set of useful methods around the core. For example,
> find_start_tag() could find the next occurrence of the given start tag and
> parse_attributes() could return a set of attributes given that we are
> currently inside a tag. If needed it should be possible to extend the
> interface with a SAX-style facility or even add DOM-like features such as
> parsing a subtree into a data structure (like it was sketched in another
> related thread on this list [1]).

I think you're right that the XML parser should exist in at least two
layers. A low layer like you have described, which ideally uses a
constant amount of memory (or perhaps linear in nexting depth). And then
a higher layer (or two) that allows things like finding elements with a
given name and building tables of element attributes.

Where does the XML parser draw its input from? It would not be okay, for
example, to require loading the whole document into memory before
parsing. We are typically reading data in chunks from a socket, so it
would be really nice if it were possible to feed variable-sized chunks
of data into the XML parser, and have it report some error code when it
doesn't have enough data to continue. For example,

New VA Modules: OpenVAS: 3, MSF: 3, Nessus: 24

This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== OpenVAS plugins (3) ==

r12582 103409 gb_phpldapadmin_51793.nasl
http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/gb_phpldapadmin_51793.nasl?root=openvas&view=markup
phpLDAPadmin 'base' Parameter Cross Site Scripting Vulnerability

r12582 103406 gb_phpldapadmin_51794.nasl
http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/gb_phpldapadmin_51794.nasl?root=openvas&view=markup
phpLDAPadmin 'server_id' Parameter Cross Site Scripting Vulnerabilities

r12582 103410 gb_openemr_51788.nasl
http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/gb_openemr_51788.nasl?root=openvas&view=markup
OpenEMR Local File Include and Command Injection Vulnerabilities

== Metasploit modules (3) ==

r14676 http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/scada/sunway_force_control_netdbsrv.rb
Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57

r14678 http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/c6_messenger_downloaderactivex.rb
Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download
and Execute

r14679 http://metasploit.com/redmine/projects/framework/repository/entry/modules/post/linux/gather/mount_cifs_creds.rb
Linux Gather credentials saved for mount.cifs/mount.smbfs

== Nessus plugins (24) ==

Re: Nmap 5.61TEST4 on Android

Works marvelously, thank you.

I've had a lot of people complain our binaries wouldn't work on their
Atrix devices.  I upgraded to a Photon (which I believe has similar
hardware) and your binaries work perfectly.

  William John Holden
  +1 (808) 861-5824

On 01/11/12 22:20, Vlatko Kosturjak wrote:
> Hello!
> 
> Just short note that I've managed to build nmap-5.61TEST4 on
> Android and document the process at the wiki:
> 
> https://secwiki.org/w/Nmap/Android
> 
> For those who are impatient, link to arm binary is here: 
> http://ftp.linux.hr/android/nmap/nmap-5.61TEST4-android-arm-bin.tar.bz2
>
>  To have better Android phones coverage, I decided to build it
> completely static by default. That decision managed to dig out more
> problems, but all patches and Makefiles needed are here:
> 
> http://ftp.linux.hr/android/nmap/nmap-5.61TEST4-android-src.tar.bz2
>
>  New problem which is not documented yet is CFLAGS for LUA (check
> the patch!), where it is stated by default(better to say:
> hardcoded) for liblua to use DLOPEN even if I'm passing

Automatic sorting of nmap-service-probes

This is a description of a project, the work to achieve which exceeds
its benefits, but which could be fun for a hacker with some CS chops.
The main idea is to identify when two different regular expressions can
be matched by the same string, and use this to sort nmap-service-probes
in a way that preserves the semantics of its ordering.

I often want nmap-service-probes to be sorted broadly by server. For
example, under the GetRequest probe, there is a big block of Apache
patterns, a block of Xerox printer patterns, and so on. But many similar
patterns are spread out in the file, because they just get added in the
order they are submitted. Sometimes when I'm doing submissions I'll
separate out a block once it's big enough, but I would really like that
to happen mostly automatically (just by sorting on the p// field, for
example).

What prevents this from being easy is things like this:

# Needs to go before the Apache match lines -Doug
match http-proxy m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache\r\n.*X-orenosp-filt:|s p/Orenosp
reverse http proxy/
...
match http m|^HTTP/1\.[01] \d\d\d.*\r\nDate: .*\r\nServer: Apache\r\n| p/Apache httpd/ cpe:/a:apache:http_server/

When the same string can match two different patterns, the order
matters. (Nmap takes the first match.) Here, this HTTP proxy claims to
be Apache, but has a distinctive header field. If the order were
reversed, the later, very generic Apache match would prevent the HTTP
proxy from ever matching.

When there is no string that can match two different patterns, they can

[patch] Make sql-injection.nse use httpspider

The attached patch (against r28007) gets rid of the HTTP crawling code in
sql-injection.nse and replaces it by using the Crawler interface. Everything
else is kept as it was.

I am using LinkExtractor to extract all links from the page returned by
crawl() so to avoid doing that twice it might be useful to add a method to
Crawler that returns all URLs encountered so far.

Also, while testing the script I found a bug in httpspider: checking that an
URL is within a host or domain should try to match the hostname only at the
beginning of the URL because it might also be embedded in a query.

Lauri

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Re: Port Exclusion option?

On Tue, Jan 31, 2012 at 11:51:59AM -0600, Dewhirst, Rob wrote:
> I was waiting for someone else to speak up, but since you asked, yes I
> would really like this.
> 
> For normal scans the built-in default 1000 ports are fine, but in that
> list is a couple ports that generate erroneous results in our
> environment.  The byproduct is nmap thinks every IP address has a host
> behind it. (it's our environment, not nmap causing this issue)
> 
> I would prefer to just exclude one or two ports from the default
> rather than specify a range around them.

One option is to copy the nmap-services file to ~/.nmap and set the
popularity value to 0 for the ports you don't want scanned by default.
Nmap (on UNIX) will then give the file priority over the system
installed one.  Or you can specify the custom services file (on any
OS) using the --servicedb flag.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/