search

zmap / zgrab2

Fast Go Application Scanner
Other
1.75k stars 307 forks source link

Feature/source interface (inferior solution for #351, *if* unprivileged users can't create namespaces) #359

Closed mzpqnxow closed 1 year ago

mzpqnxow commented 2 years ago

This is a "feature" which is useful but only in very specific configurations which are described as a comment in the code. I'm not insistent on this being merged, please feel free to close it and let it just live in the closed issues as a reference

This stems from #351 and was implemented before a better solution was suggested by @dadrian

Merging it probably does no significant harm but because it's also rarely helpful and is a somewhat half-baked solution, it's perfectly reasonable to not want to accept it

I'll as another point against accepting it that it is not a very clean implementation- it uses an environment variable instead of a command-line flag, the error checking is questionable, and assumptions are made (like using the first address for an interface) that may cause it to not work well with aliased interfaces (e.g. eth0:1, eth0:2)

This has only been tested on my configuration, where it worked well enough to unblock me. I didn't implement it as a flag both because I am lazy and because (similar to the original --source-ip flag) it is difficult to describe it in in the usage function without it confusing users who almost certainly don't want what it provides

From the comments:

    // There are caveats here and it's designed for a very specific use-case
    // Use-case is for machines with multiple default routes. Consider a system
    // with mgmt0 and wan0
    //   - Both are technically WAN links with public IP addresses
    //   - Both have an entry in the routing table for 0/0
    //   - Only one (wan0) is intended for network probes
    //   - It is not an option to simply reorder the routes system-wide, for
    //     whatever reason
    //
    // Assuming the above all hold, you can use $ZIFACE to override the
    // interface that the TCP/IP stack would choose by default (which is based
        // entirely on the priority of the routing table)
    // 
    // This is a fix ("hack", really) for the issue described in:
    //   https://github.com/zmap/zgrab2/issues/351
    //
    // @dadrien suggested a much less invasive and more flexible solution, which
    // is spinning up a network namespace with only the desired interface and
    // using that for the scan. That solves this problem without any code changes.
    //
    // That works very well and is by far the best solution *except* where it is not
    // available, in cases where the system is hardened via:
    //
    //   kernel.unprivileged_userns_clone = 0
    //
    // In this case, you can fall back on this hacky mechanism, by setting the
    // $ZIFACE environment variable to the interface you want to prefer over the
    // others

Thanks!

mzpqnxow commented 1 year ago

It’s probably best to close this, the suggestion @dadrian offered requires no code changes, let alone ones as hacky as this one

thanks again @dadrian for the netns idea!