New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Network Block Device Info Script #609

Closed
wants to merge 21 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@mogigoma

mogigoma commented Dec 11, 2016

Knocking out one from the Script Ideas article on the wiki: https://secwiki.org/w/Nmap/Script_Ideas#nbd-info.

The server software isn't all that stable, but I've got a decently reliable test server at nmap.kolybabi.com that you're welcome to test against.

% NMAPDIR=. ./nmap -p 10807,10808,10809 --script nbd-info nmap.kolybabi.com 
PORT      STATE SERVICE REASON
10807/tcp open  unknown syn-ack
| nbd-info: 
|   Protocol: 
|     The server software appears to support fixed newstyle negotiation, but not on this port.
|     Negotiation: oldstyle
|     SSL/TLS Wrapped: false
|   Exported Block Devices: 
|     (default): 
|_      Size: 1048576 bytes
10808/tcp open  unknown syn-ack
| nbd-info: 
|   Protocol: 
|     The server software appears to support fixed newstyle negotiation, but not on this port.
|     Negotiation: oldstyle
|     SSL/TLS Wrapped: false
|   Exported Block Devices: 
|     (default): 
|_      Size: 1048576 bytes
10809/tcp open  nbd     syn-ack
| nbd-info: 
|   Protocol: 
|     Negotiation: fixed newstyle
|     SSL/TLS Wrapped: false
|   Exported Block Devices: 
|     foo: 
|       Size: 1048576 bytes
|       Transmission Flags: 
|         READ_ONLY
|         SEND_FUA
|         SEND_FLUSH
|     bar: 
|       Size: 1048576 bytes
|       Transmission Flags: 
|         ROTATIONAL
|_        READ_ONLY
@dmiller-nmap

Looking good! Thanks for the test server, that is really helpful. Probably you'll want to strip any references to it before publishing, though. Just a few things to fix.

Show outdated Hide outdated nselib/nbd.lua
self.protocol = {ssl_tls = (proto == "ssl")}
if #rep ~= 8 then
stdnse.debug1("Failed to receive first 64 bits of magic from server: %s", rep)

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jan 27, 2017

I get this message a lot for ports 10807 and 10808, and it looks like it's sending more than just the magic first:

NSOCK INFO [0.9450s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 42 [138.197.130.253:10807] (24 bytes): NBDMAGIC..B....S........
NSE: TCP 72.14.177.105:49524 < 138.197.130.253:10807 | 00000000: 4e 42 44 4d 41 47 49 43 00 00 42 02 81 86 12 53 NBDMAGIC  B    S
00000010: 00 00 00 00 00 10 00 00

NSE: [nbd-info 138.197.130.253:10807] Failed to receive first 64 bits of magic from server: NBDMAGIC
@dmiller-nmap

dmiller-nmap Jan 27, 2017

I get this message a lot for ports 10807 and 10808, and it looks like it's sending more than just the magic first:

NSOCK INFO [0.9450s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 42 [138.197.130.253:10807] (24 bytes): NBDMAGIC..B....S........
NSE: TCP 72.14.177.105:49524 < 138.197.130.253:10807 | 00000000: 4e 42 44 4d 41 47 49 43 00 00 42 02 81 86 12 53 NBDMAGIC  B    S
00000010: 00 00 00 00 00 10 00 00

NSE: [nbd-info 138.197.130.253:10807] Failed to receive first 64 bits of magic from server: NBDMAGIC

This comment has been minimized.

@mogigoma

mogigoma Feb 2, 2017

Your analysis was correct, the issue was getting sent extra data. I instituted a receive buffer in the protocol object to handle varying sizes of initial receives.

@mogigoma

mogigoma Feb 2, 2017

Your analysis was correct, the issue was getting sent extra data. I instituted a receive buffer in the protocol object to handle varying sizes of initial receives.

Show outdated Hide outdated nselib/nbd.lua
if not status then
stdnse.debug1("Failed to receive zero pad from server while attaching to export: %s", err)
self:close()
return false

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jan 27, 2017

Super-minor nitpick, but these 3 lines are tabs instead of spaces for indentation. A couple other places have this, too.

@dmiller-nmap

dmiller-nmap Jan 27, 2017

Super-minor nitpick, but these 3 lines are tabs instead of spaces for indentation. A couple other places have this, too.

This comment has been minimized.

@mogigoma

mogigoma Feb 2, 2017

Sorry about that, it's what I get for using a default config and 'smart' indentation. Fixed all tabs in new files.

@mogigoma

mogigoma Feb 2, 2017

Sorry about that, it's what I get for using a default config and 'smart' indentation. Fixed all tabs in new files.

Show outdated Hide outdated scripts/nbd-info.nse
categories = {"discovery", "intrusive"}
-- XXX-MAK: The expanded port range is for testing against nmap.kolybabi.com.
portrule = shortport.version_port_or_service({10807, 10808, 10809}, "nbd", "tcp")

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jan 27, 2017

What should the port numbers be for this? Do we have good service probe matches that can identify NBD?

@dmiller-nmap

dmiller-nmap Jan 27, 2017

What should the port numbers be for this? Do we have good service probe matches that can identify NBD?

This comment has been minimized.

@mogigoma

mogigoma Feb 2, 2017

There is an existing, working service probe. I have reverted the portrule to its non-debug form.

@mogigoma

mogigoma Feb 2, 2017

There is an existing, working service probe. I have reverted the portrule to its non-debug form.

Show outdated Hide outdated scripts/nbd-info.nse
table.insert(tbl, "The server software appears to support fixed newstyle negotiation, but not on this port.")
end
end
table.insert(tbl, ("Negotiation: %s"):format(comm.protocol.negotiation))

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jan 27, 2017

Instead of inserting strings containing "key: value", make tbl a stdnse.output_table and set tbl[key] = value. I know it doesn't work with the "not on this port" thing, but maybe if you had a key like "newstyle negotiation supported:" and the value is "other port"? The other thing to try would be to use both integer (with table.insert) and string keys. I know NSE can handle that, but I don't know if it works via output_table.

@dmiller-nmap

dmiller-nmap Jan 27, 2017

Instead of inserting strings containing "key: value", make tbl a stdnse.output_table and set tbl[key] = value. I know it doesn't work with the "not on this port" thing, but maybe if you had a key like "newstyle negotiation supported:" and the value is "other port"? The other thing to try would be to use both integer (with table.insert) and string keys. I know NSE can handle that, but I don't know if it works via output_table.

This comment has been minimized.

@mogigoma

mogigoma Feb 2, 2017

Changed reporting method to attempt to address this. Properly, I hope.

@mogigoma

mogigoma Feb 2, 2017

Changed reporting method to attempt to address this. Properly, I hope.

Show outdated Hide outdated scripts/nbd-info.nse
for name, info in pairs(comm.exports) do
local exp = {}
if type(info.size) == "number" then
table.insert(exp, ("Size: %d bytes"):format(info.size))

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jan 27, 2017

Here again, if exp is an output_table, then you can insert keys and values instead of just strings.

@dmiller-nmap

dmiller-nmap Jan 27, 2017

Here again, if exp is an output_table, then you can insert keys and values instead of just strings.

This comment has been minimized.

@mogigoma

mogigoma Feb 2, 2017

Changed reporting method to attempt to address this. Properly, I hope.

@mogigoma

mogigoma Feb 2, 2017

Changed reporting method to attempt to address this. Properly, I hope.

Show outdated Hide outdated scripts/nbd-info.nse
output["Exported Block Devices"] = tbl
end
return output, stdnse.format_output(true, output)

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jan 27, 2017

stdnse.output_table should not be filtered through stdnse.format_output. Just return it directly.

@dmiller-nmap

dmiller-nmap Jan 27, 2017

stdnse.output_table should not be filtered through stdnse.format_output. Just return it directly.

This comment has been minimized.

@mogigoma
@mogigoma
@mogigoma

This comment has been minimized.

Show comment
Hide comment
@mogigoma

mogigoma Feb 2, 2017

All issues addressed. Please let me know if there is anything else I should do.

mogigoma commented Feb 2, 2017

All issues addressed. Please let me know if there is anything else I should do.

@qiankehan

This comment has been minimized.

Show comment
Hide comment
@qiankehan

qiankehan Mar 7, 2018

@dmiller-nmap Any more reviews on this patch?

qiankehan commented Mar 7, 2018

@dmiller-nmap Any more reviews on this patch?

@nmap-bot nmap-bot closed this in 262d425 Mar 9, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment