2007-07-18

Peek at new nmap-nse scripts

Well. I'll give you a peek at my new scripts for nmap. This scripts aren't public yet, I hope this post will give mi motivation to finish them.

This time we're going to focus on traceroute. New traceroute function in nmap looks like this:

# ./nmap -n -sS -p80 scanme.insecure.org --traceroute

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.33 (censor)
2 7.93 (censor)
3 ...
4 7.84 212.76.35.50
5 23.85 212.76.35.58
6 4.90 212.76.35.177
7 5.06 217.6.51.49
8 209.72 62.154.5.9
9 191.55 64.125.12.169
10 196.77 64.125.26.26
11 198.69 64.125.28.142
12 200.40 208.185.168.173
13 200.15 205.217.153.62

My first script gives similar results. It works almost like standard traceroute, but instead of sending Syn packets with small ttl, it injects packets to established connection. The idea is stolen from Lcamtuf's 0trace tool.
# ./nmap -n -sS -p80 --script=0trace.nse scanme.insecure.org -P0
Interesting ports on 205.217.153.62:
PORT STATE SERVICE
80/tcp open http
|_ 0trace:
(censor)
(censor)
?
212.76.35.50
212.76.35.58
212.76.35.177
217.6.51.49
62.154.5.9
64.125.12.169
64.125.26.26
64.125.28.142
208.185.168.173
205.217.153.62

Next script is quite different. It sends Syn packet with Record Route ip option (see ping -R). Note that this time ip addresses are different than in previous scans. That's because routers have several ip addresses and Record Route records ip from outgoing interface (I think). The disadvantage of this method is that it's possible to record only nine hops.
# ./nmap -n -sS -p80 --script=recordroute.nse scanme.insecure.org -P0
Interesting ports on 205.217.153.62:
PORT STATE SERVICE
80/tcp open http
|_ record route:
(censor)
(censor)
212.76.35.49
212.76.35.57
212.76.35.178
217.6.51.42
62.154.5.254
64.125.12.170
209.249.254.29


No comments: