wvu
commented
7 years ago Interesting idea. Or you can chmod u+s Nmap and then exploit it with exploit/unix/local/setuid_nmap. :P
Closed busterb closed 7 years ago
wvu
commented
7 years ago Interesting idea. Or you can chmod u+s Nmap and then exploit it with exploit/unix/local/setuid_nmap. :P
busterb
commented
7 years ago wow, dual purpose even. thanks @wvu-r7
busterb
commented
7 years ago hdm raised a good point too, in that simply running as sudo means you are left with a file owned by root. It would be nice if there was some way to stream the data to stdout instead so there is also no intermediate file.
busterb
commented
7 years ago /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip /usr/bin/nmap solves this problem, and it is included in the Dockerfile
Often to get decent results from nmap, you need to run it with escalated privileges. On the other hand, I don't like running metasploit as 'root'. So, I'd like to teach metasploit how to call 'sudo' or 'doas' in front of db_nmap invocations so that only nmap needs to run as root.
This can be worked around by just running nmap independently and then importing the XML, but where's the fun in that?