search

minvws / nl-kat-coordination

OpenKAT scans networks, finds vulnerabilities and creates accessible reports. It integrates the most widely used network tools and scanning software into a modular framework, accesses external databases such as shodan, and combines the information from all these sources into clear reports. It also includes lots of cat hair.
https://openkat.nl
European Union Public License 1.2
126 stars 58 forks source link

Add Pattern to Nmap boefje to match a range of numbers, eg 0 to 65000 are not overly easy to do, but here's a try: #3143

Closed underdarknl closed 1 month ago

underdarknl commented 4 months ago

To revisit this. Patterns that match a range of numbers, eg 0 to 65000 are not overly easy to do, but here's a try:

(([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-4]),)*?(([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-4])-)?([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])

This will match the following:

  • 1
  • 1,2
  • 1-65000
  • 1,2,100-200
  • 65534-65535

Rules:

  • The number of single ports is unlimited, the number of range groups is unlimited, but expected to come after the single ports.
  • Range groups are intended to be separated by a dash
  • No spaces / other chars are allowed.
  • Port numbers (single or in range) are limited from 1 to 65535
  • A small number is allowed as the second argument in a range, this is not easily fixed in the regex, but we might be able to flip them round in the boefje code.

Originally posted by @underdarknl in https://github.com/minvws/nl-kat-coordination/issues/2999#issuecomment-2177941702

underdarknl commented 2 months ago

This missing regex was mentioned in our pentest as a security issue. Not having this regex could allow red-teamers (who can set boefje settings) to inject command into the nmap cli call.