Subject: Re: A formal language for NMAP? - msg#00021

Previous Message by Date: click to view message preview

A formal language for NMAP?

Hi, I'm new to nmap, I tested it and I did not found one usefull option... but before to say stupid thinks, I would like to show you my simple considerations. ..sorry for the language... Looking at nmap, xprobe2 and hping2, they are powerfull tools, and each of it give you it's best on particular network topology and against a particular organization security policy. None of it has the ability to save the result of the performed probes with a formal language. If I'm wrong, please do not care about the line below. Now you are thinking I'm crazy...:) Let me explain.. Suppose for a while you have to do a pen-test and you would like to use some caracteristcs of each tool on a particular step of penetration activity, and store the result of the step to be manually o automatically analized for considerations on how to procede to the next step. Each of tool mentioned above give you the result with it's own syntax and they process the results. I think could be usefull to have the collected data stored in a formal language and without any process applied to it. Doing so, will be possible to create external programs, like pen-test frameworks, with some decisional capability that you buil your own, that take the input from a program like nmap and procede to the next step of the pen-test activity, with decision based on the information it has form the step before. For example: You set the constraints of the framework: - If you would like to minimize the traffic or if you would like precise informations. - If you would like to use a particular protocol or you would like to use first ICMP than TCP, and the order of the various type of the messages sent. ..ecc..ecc.. The core of the framework, a sort of decision module, start a program performing a traceroute, it store the IP and the order of the hops to the target. Then it use xprobe2 to test what type of ICMP messages are filtered by the routers along the path. Then based on results it decide if to continue to use Xprobe2 or shift to use nmap ...ecc...ecc... and so on based on how is complex and the intelligent core of the framework. Do you think that could be usefull to have an nmap option to write the results of probes in a formal language without any processing? Simply use nmap or xprobe2 or other programs to generate packets, collect the answers and write the snapshot of what have happend in a formal language. What do you think? If I have said stupid thinks, please do not kill me...:) L. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help@xxxxxxxxxxxx . List archive: http://seclists.org

Next Message by Date: click to view message preview

Why does OS fingerprinting happen before Application Fingerprinting

I just ran a few scans with the OS probe and Version probe check boxes checked. It appeared that the OS detection is being done before the Version detection. Why is this so? Is it some performance issue or is it using this information in some way. Or is this just random and the 2 types (OS vs Version) of probes can be sent one before the other or vice versa. __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help@xxxxxxxxxxxx . List archive: http://seclists.org

Previous Message by Thread: click to view message preview

A formal language for NMAP?

Hi, I'm new to nmap, I tested it and I did not found one usefull option... but before to say stupid thinks, I would like to show you my simple considerations. ..sorry for the language... Looking at nmap, xprobe2 and hping2, they are powerfull tools, and each of it give you it's best on particular network topology and against a particular organization security policy. None of it has the ability to save the result of the performed probes with a formal language. If I'm wrong, please do not care about the line below. Now you are thinking I'm crazy...:) Let me explain.. Suppose for a while you have to do a pen-test and you would like to use some caracteristcs of each tool on a particular step of penetration activity, and store the result of the step to be manually o automatically analized for considerations on how to procede to the next step. Each of tool mentioned above give you the result with it's own syntax and they process the results. I think could be usefull to have the collected data stored in a formal language and without any process applied to it. Doing so, will be possible to create external programs, like pen-test frameworks, with some decisional capability that you buil your own, that take the input from a program like nmap and procede to the next step of the pen-test activity, with decision based on the information it has form the step before. For example: You set the constraints of the framework: - If you would like to minimize the traffic or if you would like precise informations. - If you would like to use a particular protocol or you would like to use first ICMP than TCP, and the order of the various type of the messages sent. ..ecc..ecc.. The core of the framework, a sort of decision module, start a program performing a traceroute, it store the IP and the order of the hops to the target. Then it use xprobe2 to test what type of ICMP messages are filtered by the routers along the path. Then based on results it decide if to continue to use Xprobe2 or shift to use nmap ...ecc...ecc... and so on based on how is complex and the intelligent core of the framework. Do you think that could be usefull to have an nmap option to write the results of probes in a formal language without any processing? Simply use nmap or xprobe2 or other programs to generate packets, collect the answers and write the snapshot of what have happend in a formal language. What do you think? If I have said stupid thinks, please do not kill me...:) L. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help@xxxxxxxxxxxx . List archive: http://seclists.org

Next Message by Thread: click to view message preview

Re: A formal language for NMAP?

Hi Max, thanks for your message, Il sab, 2004-02-14 alle 22:21, Max ha scritto: > Hi Lorenzo, > > Nmap has an XML output option ... -oX. Use that with > -v -v -v when you do your scan and you will see all > of the output of the various probes etc very nicely in > XML. > I'm sorry I have wrote without check carefully the output option of nmap. This option semplify very much the building of a framework in wich I would like to use various tools to performs pen-test activity. > Or are you asking about having nmap actually just write out > what it would do were you to actually run it in XML but not > actually perform the scan .. is that the scripting language > you are talking about? If so, what would the advantage of > doing that be over just storing sets of nmap options for > use later? e.g. in perl, you could do something like: > > my %OPTIONS = qw( > verbose -v > syn_scan -sS > fin_scan -sT > fast_scan -F > ); > > my $cmd = make_cmd(qw(verbose verbose verbose fast_scan syn_scan)); > > sub make_cmd { > my @options = @_; > > my $cmd = "nmap "; > > local($_); > > $cmd = join(' ', map { $OPTIONS{$_}; } @options); > > return $cmd; > } > > What would the advantage be of having nmap produce this? > > I could use a use for nmap taking in XML-formatting options .. > > <nmap-options> > <verbose/> > <verbose/> > <verbose/> > <ports> > <port range="true">1-53</port> > <port>80</port> > </port> > </nmap-options> > > As that would make building tools that build up nmap command > lines easier to write and maintain .. is that more what you > are referring to? Yes right, this can be a good solution > Then again, the above XML creation could > be implemented by a high-level tool and then filtered to > produce real nmap options without too much difficulty. > I agree > Regards, > Max > > --------------------------------------------------------------------- > For help using this (nmap-dev) mailing list, send a blank email to > nmap-dev-help@xxxxxxxxxxxx . List archive: http://seclists.org > Thanks Lorenzo --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help@xxxxxxxxxxxx . List archive: http://seclists.org