Options
NMAP ipidseq script
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
in Off-Topic
So I'm trying to utilize the NMAP script IPIDSEQ in a test environment to provide a proof of concept, but I'm not getting output I expect of the script.
Here is what I run: nmap --script ipidseq A.B.C.D
Here is what I get:
Starting Nmap 5.51 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2011-02-15 09:57 Central Standard Time
Nmap scan report for A.B.C.D
Host is up (0.00065s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
Nmap done: 1 IP address (1 host up) scanned in 6.34 seconds
The script is supposed to provide some output indicating the status of the IP ID Sequence used by the target host A.B.C.D per the documentation found here: ipidseq NSE Script
Has anyone used this successfully. Any idea what I'm missing? This does NOT seem like it should be that complicated.
Thanks guys.
Here is what I run: nmap --script ipidseq A.B.C.D
Here is what I get:
Starting Nmap 5.51 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2011-02-15 09:57 Central Standard Time
Nmap scan report for A.B.C.D
Host is up (0.00065s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
Nmap done: 1 IP address (1 host up) scanned in 6.34 seconds
The script is supposed to provide some output indicating the status of the IP ID Sequence used by the target host A.B.C.D per the documentation found here: ipidseq NSE Script
Has anyone used this successfully. Any idea what I'm missing? This does NOT seem like it should be that complicated.
Thanks guys.
Comments
-
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□A lot of the scripts only output something if its noteworthy. If you look at the example:
--- -- @usage -- nmap --script ipidseq [--script-args probeport=port] target -- @args probeport Set destination port to probe -- @output -- Host script results: -- |_ipidseq: Incremental! [used port 80]
You can see it's alerting you that the sequence is incremental. It looks like it does others, such as "all zeros" and "all same" as well. -
Optionscisco_trooper Member Posts: 1,441 ■■■■□□□□□□Here is verbose:
Still no indication of IP ID Sequence. Time to dissect the script I guess and figure out what logic results in not giving any info.
Starting Nmap 5.51 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2011-02-16 19:36 Central Standard Time
NSE: Loaded 1 scripts for scanning.
Initiating ARP Ping Scan at 19:36
Scanning A.B.C.D [1 port]
Completed ARP Ping Scan at 19:36, 0.47s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:36
Completed Parallel DNS resolution of 1 host. at 19:36, 0.04s elapsed
Initiating SYN Stealth Scan at 19:36
Scanning A.B.C.D [1000 ports]
Discovered open port 135/tcp on A.B.C.D
Discovered open port 445/tcp on A.B.C.D
Discovered open port 3389/tcp on A.B.C.D
Discovered open port 139/tcp on A.B.C.D
Completed SYN Stealth Scan at 19:36, 1.01s elapsed (1000 total ports)
NSE: Script scanning A.B.C.D.
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Nmap scan report for A.B.C.D
Host is up (0.0072s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
MAC Address: 00:0E:A6:2B:65:2C (Asustek Computer)
Read data files from: C:\Program Files\Nmap
Nmap done: 1 IP address (1 host up) scanned in 3.25 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.044KB) -
Optionscisco_trooper Member Posts: 1,441 ■■■■□□□□□□Turned on debugging after wading through the script for a bit. Got this:NSE: ipidseq against 172.16.29.3 threw an error!
C:\Program Files\Nmap\scripts\ipidseq.nse:221: failed to open raw socket: An attempt was made to access a socket in a way forbidden by its access permissions. (errno 10013)
stack traceback:
[C]: in function 'ip_open'
C:\Program Files\Nmap\scripts\ipidseq.nse:221: in function <C:\Program Files\Nmap\scripts\ipidseq.nse:211>
(tail call): ?
Here is the function beginning at line 211:action = function(host)
local i = 1
local ipids = {}
local sock = nmap.new_dnet()
local pcap = nmap.new_socket()
local port = nmap.registry[host.ip]
local saddr = packet.toip(host.bin_ip_src)
local daddr = packet.toip(host.bin_ip)
local try = nmap.new_try()
try(sock:ip_open())
try = nmap.new_try(function() sock:ip_close() end)
pcap:pcap_open(host.interface, 104, false, "tcp and dst host " .. saddr .. " and src host " .. daddr .. " and src port " .. port)
pcap:set_timeout(host.times.timeout * 1000)
local tcp = genericpkt(host, port)
while i <= NUMPROBES do
try(sock:ip_send(tcp.buf))
local status, len, _, layer3 = pcap:pcap_receive()
local test = bin.pack('AA=S=S', tcp.ip_bin_src, tcp.ip_bin_dst, tcp.tcp_sport, tcp.tcp_dport)
while status and test ~= check(layer3) do
status, len, _, layer3 = pcap:pcap_receive()
end
if status then
table.insert(ipids, packet.u16(layer3, 4))
end
updatepkt(tcp)
i = i + 1
end
pcap:close()
sock:ip_close()
local output = ipidseqclass(ipids)
if nmap.debugging() > 0 then
output = output .. " [used port " .. port .. "]"
end
return output
end -
Optionscisco_trooper Member Posts: 1,441 ■■■■□□□□□□Jesus...don't flame the Windows 7 n00b. This works without issue once I run the thing as administrator.Starting Nmap 5.51 ( http://nmap.org ) at 2011-02-16 23:36 Central Standard Time
Nmap scan report for A.B.C.D
Host is up (0.0069s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
MAC Address: 00:0E:A6:2B:65:2C (Asustek Computer)
Host script results:
|_ipidseq: Incremental!
Nmap done: 1 IP address (1 host up) scanned in 3.03 seconds -
Optionsdocrice Member Posts: 1,706 ■■■■■■■■■■Don't feel so bad. As someone who has been teaching the basics of User Account Control, Integrity Levels, and LSA security tokens in Windows Vista / 7 to others at work, I hate to admit that this might have stumbled me as well. After all these years I'm sometimes still used to the older XP security model. Old habits die hard.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
-
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□cisco_trooper wrote: »Jesus...don't flame the Windows 7 n00b. This works without issue once I run the thing as administrator.
That's funny. I actually tried that when I was testing, but I still didn't get any results, so I didn't mention it. *whoops*
One thing that I found out much later than I should have is that if you hold ctrl+shift while starting an application, it launches with administrative privileges. Therefore, you just need to hit the Windows key, type cmd, then ctrl+shift+enter, and you get an administrative command prompt without leaving the keyboard.