Peek at new nmap-nse scripts

Well. I'll give you a peek at my new scripts for nmap. This scripts aren't public yet, I hope this post will give mi motivation to finish them.

This time we're going to focus on traceroute. New traceroute function in nmap looks like this:

# ./nmap -n -sS -p80 scanme.insecure.org --traceroute

TRACEROUTE (using port 80/tcp)
HOP RTT    ADDRESS
1   0.33   (censor)
2   7.93   (censor)
3   ...
4   7.84   212.76.35.50
5   23.85  212.76.35.58
6   4.90   212.76.35.177
7   5.06   217.6.51.49
8   209.72 62.154.5.9
9   191.55 64.125.12.169
10  196.77 64.125.26.26
11  198.69 64.125.28.142
12  200.40 208.185.168.173
13  200.15 205.217.153.62

My first script gives similar results. It works almost like standard traceroute, but instead of sending Syn packets with small ttl, it injects packets to established connection. The idea is stolen from Lcamtuf's 0trace tool.

# ./nmap -n -sS -p80 --script=0trace.nse scanme.insecure.org -P0
Interesting ports on 205.217.153.62:
PORT   STATE SERVICE
80/tcp open  http
|_ 0trace: 
(censor) 
(censor)
? 
212.76.35.50 
212.76.35.58 
212.76.35.177
217.6.51.49 
62.154.5.9 
64.125.12.169 
64.125.26.26 
64.125.28.142 
208.185.168.173 
205.217.153.62

Next script is quite different. It sends Syn packet with Record Route ip option (see ping -R). Note that this time ip addresses are different than in previous scans. That's because routers have several ip addresses and Record Route records ip from outgoing interface (I think). The disadvantage of this method is that it's possible to record only nine hops.

# ./nmap -n -sS -p80 --script=recordroute.nse scanme.insecure.org -P0
Interesting ports on 205.217.153.62:
PORT   STATE SERVICE
80/tcp open  http
|_ record route:
(censor)
(censor)
212.76.35.49
212.76.35.57
212.76.35.178
217.6.51.42
62.154.5.254
64.125.12.170
209.249.254.29