NMAP ipidseq script

cisco_trooper

So I'm trying to utilize the NMAP script IPIDSEQ in a test environment to provide a proof of concept, but I'm not getting output I expect of the script.

Here is what I run: nmap --script ipidseq A.B.C.D

Here is what I get:
Starting Nmap 5.51 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2011-02-15 09:57 Central Standard Time
Nmap scan report for A.B.C.D
Host is up (0.00065s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-term-serv

Nmap done: 1 IP address (1 host up) scanned in 6.34 seconds



The script is supposed to provide some output indicating the status of the IP ID Sequence used by the target host A.B.C.D per the documentation found here: ipidseq NSE Script


Has anyone used this successfully. Any idea what I'm missing? This does NOT seem like it should be that complicated.

Thanks guys.

cisco_trooper

No One?

wastedtime

Try adding -v for verbose output.

dynamik

A lot of the scripts only output something if its noteworthy. If you look at the example:

---
-- @usage 
-- nmap --script ipidseq [--script-args probeport=port] target
-- @args probeport Set destination port to probe
-- @output
-- Host script results:
-- |_ipidseq: Incremental! [used port 80]

You can see it's alerting you that the sequence is incremental. It looks like it does others, such as "all zeros" and "all same" as well.

cisco_trooper

Here is verbose:

Still no indication of IP ID Sequence. Time to dissect the script I guess and figure out what logic results in not giving any info.

Starting Nmap 5.51 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2011-02-16 19:36 Central Standard Time

NSE: Loaded 1 scripts for scanning.

Initiating ARP Ping Scan at 19:36

Scanning A.B.C.D [1 port]

Completed ARP Ping Scan at 19:36, 0.47s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 19:36

Completed Parallel DNS resolution of 1 host. at 19:36, 0.04s elapsed

Initiating SYN Stealth Scan at 19:36

Scanning A.B.C.D [1000 ports]

Discovered open port 135/tcp on A.B.C.D

Discovered open port 445/tcp on A.B.C.D

Discovered open port 3389/tcp on A.B.C.D

Discovered open port 139/tcp on A.B.C.D

Completed SYN Stealth Scan at 19:36, 1.01s elapsed (1000 total ports)

NSE: Script scanning A.B.C.D.

Initiating NSE at 19:36

Completed NSE at 19:36, 0.00s elapsed

Nmap scan report for A.B.C.D

Host is up (0.0072s latency).

Not shown: 996 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv

MAC Address: 00:0E:A6:2B:65:2C (Asustek Computer)



Read data files from: C:\Program Files\Nmap

Nmap done: 1 IP address (1 host up) scanned in 3.25 seconds

Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.044KB)

cisco_trooper

Turned on debugging after wading through the script for a bit. Got this:

NSE: ipidseq against 172.16.29.3 threw an error!

C:\Program Files\Nmap\scripts\ipidseq.nse:221: failed to open raw socket: An attempt was made to access a socket in a way forbidden by its access permissions. (errno 10013)

stack traceback:

[C]: in function 'ip_open'

C:\Program Files\Nmap\scripts\ipidseq.nse:221: in function <C:\Program Files\Nmap\scripts\ipidseq.nse:211>

(tail call): ?

Here is the function beginning at line 211:

action = function(host)
local i = 1
local ipids = {}
local sock = nmap.new_dnet()
local pcap = nmap.new_socket()
local port = nmap.registry[host.ip]
local saddr = packet.toip(host.bin_ip_src)
local daddr = packet.toip(host.bin_ip)
local try = nmap.new_try()

try(sock:ip_open())

try = nmap.new_try(function() sock:ip_close() end)

pcap:pcap_open(host.interface, 104, false, "tcp and dst host " .. saddr .. " and src host " .. daddr .. " and src port " .. port)

pcap:set_timeout(host.times.timeout * 1000)

local tcp = genericpkt(host, port)

while i <= NUMPROBES do
try(sock:ip_send(tcp.buf))

local status, len, _, layer3 = pcap:pcap_receive()
local test = bin.pack('AA=S=S', tcp.ip_bin_src, tcp.ip_bin_dst, tcp.tcp_sport, tcp.tcp_dport)
while status and test ~= check(layer3) do
status, len, _, layer3 = pcap:pcap_receive()
end

if status then
table.insert(ipids, packet.u16(layer3, 4))
end

updatepkt(tcp)

i = i + 1
end

pcap:close()
sock:ip_close()

local output = ipidseqclass(ipids)

if nmap.debugging() > 0 then
output = output .. " [used port " .. port .. "]"
end

return output
end

cisco_trooper

Jesus...don't flame the Windows 7 n00b. This works without issue once I run the thing as administrator.

Starting Nmap 5.51 ( http://nmap.org ) at 2011-02-16 23:36 Central Standard Time

Nmap scan report for A.B.C.D

Host is up (0.0069s latency).

Not shown: 996 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv

MAC Address: 00:0E:A6:2B:65:2C (Asustek Computer)



Host script results:

|_ipidseq: Incremental!



Nmap done: 1 IP address (1 host up) scanned in 3.03 seconds

docrice

Don't feel so bad. As someone who has been teaching the basics of User Account Control, Integrity Levels, and LSA security tokens in Windows Vista / 7 to others at work, I hate to admit that this might have stumbled me as well. After all these years I'm sometimes still used to the older XP security model. Old habits die hard.

dynamik

cisco_trooper wrote: »

Jesus...don't flame the Windows 7 n00b. This works without issue once I run the thing as administrator.

That's funny. I actually tried that when I was testing, but I still didn't get any results, so I didn't mention it. *whoops*

One thing that I found out much later than I should have is that if you hold ctrl+shift while starting an application, it launches with administrative privileges. Therefore, you just need to hit the Windows key, type cmd, then ctrl+shift+enter, and you get an administrative command prompt without leaving the keyboard.