I see. Thanks for the pointer, Eero.
That makes sense now, I suppose, but the nmap syntax is wrong.
Instead of:
nmap -n -sV -oN /tmp/nmap-10.56.6.40-567162054 -O
1463,15197,25097,38204,46226,55374 10.56.6.40
it should be:
nmap -n -sV -oN /tmp/nmap-10.56.6.40-567162054 -O -p
1463,15197,25097,38204,46226,55374 10.56.6.40
Aha! And I see the [subtle] bug too! The variable i, used for the argv
indexing, is overwritten and during the random port list construction. I've
confirmed in my local openvas installation that the fix can be as simple as:
$ diff gb_nmap_os_detection.nasl gb_nmap_os_detection_fixed.nasl
132c132
< for( i = 1; i <= numClosedPorts; i++ ) {
---
> for( j = 1; j <= numClosedPorts; j++ ) {
137c137
< while( i + closedPort >< portList ) {
---
> while( j + closedPort >< portList ) {
140c140
< portList += "," + i + closedPort;
---
> portList += "," + j + closedPort;
How can I become a contributor to help fix the script (and/or any other
script in which I encounter bugs)?
Thanks!
Daniel
Daniel Popescu
818-625-0823
On Thu, Feb 9, 2017 at 6:27 PM, Eero Volotinen <[email protected]>
wrote:
> OS detections adds 5 random ports to commandline:
>
> http://plugins.openvas.org/nasl.php?oid=108021
>
>
>
> --
> Eero
>
> 2017-02-10 3:24 GMT+02:00 Dan ½ <[email protected]>:
>
>> Hi folks,
>>
>> I'm encountering a strange issue wherein ports that I'm certain are open
>> are not being reported as open. I have a target host where I KNOW that TCP
>> port 1463 is open.
>>
>> I kick off a scan using a custom port list that contains only 1 TCP port,
>> 1463, created via
>>
>> omp -u admin -w *** --xml '<create_port_list> <name>scribe only</name>
>> <comment>scribe only</comment> <port_range>T:1463</port_range>
>> </create_port_list>'
>>
>> I then poll for nmap commands and I see the following:
>>
>> # while true; do ps auxwww | grep [n]map; sleep 1; done
>> root 154390 0.0 0.0 43448 5348 ? D 01:02 0:00 nmap
>> --reason -sP --send-ip -PE 10.56.6.40
>> root 154394 0.0 0.0 167000 51032 ? S 01:02 0:00
>> openvassd: testing 10.56.6.40 (/usr/local/var/lib/openvas/pl
>> ugins/nmap.nasl)
>> root 154396 0.0 0.0 43584 5188 ? R 01:02 0:00 nmap
>> -n -P0 -oG /tmp/nmap-10.56.6.40-167506994 -sT -p T:1463 -T 3 10.56.6.40
>> root 154438 0.0 0.0 167528 51488 ? S 01:02 0:00
>> openvassd: testing 10.56.6.40 (/usr/local/var/lib/openvas/pl
>> ugins/gb_nmap_os_detection.nasl)
>> root 154440 54.0 0.0 69620 26404 ? S 01:02 0:00 nmap
>> -n -sV -oN /tmp/nmap-10.56.6.40-567162054 -O
>> 1463,15197,25097,38204,46226,55374
>> 10.56.6.40
>>
>>
>> What's up with the "-O 1463,15197,25097,38204,46226,55374" part? The
>> output from running that nmap command in the foreground looks like:
>>
>>
>> root@22552df8a23f:/# nmap -n -sV -oN /tmp/nmap-10.56.6.40-567162054 -O
>> 1463,15197,25097,38204,46226,55374 10.56.6.40
>>
>> Starting Nmap 5.51 ( http://nmap.org ) at 2017-02-10 01:11 UTC
>> Invalid target host specification: 1463,15197,25097,38204,46226,55374
>> QUITTING!
>>
>>
>> That list of random ports seems to vary on each run (except for the first
>> number, 1463, which is consistent with what i've requested to be scanned).
>> Not sure where it's coming from, but I'm fairly certain that this is what's
>> causing the issue that I'm seeing where known open ports are not being
>> reported.
>>
>> I'm on ubuntu 14.04 (trusty), openvas8 built from source on the published
>> tarballs on http://www.openvas.org/install-source.html.
>>
>> Any ideas on where that random list is coming from? and why it's not
>> being passed with "-p"? Is that possibly what's causing this issue or is it
>> a red herring?
>>
>>
>> Daniel Popescu
>> 818-625-0823 <(818)%20625-0823>
>>
>> _______________________________________________
>> Openvas-discuss mailing list
>> [email protected]
>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/o
>> penvas-discuss
>>
>
>
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
