Nmap Development mailing list archives

By Date By Thread Nmap GSoC 2013 Success Report From: Fyodor <fyodor () nmap org>

Date: Thu, 31 Oct 2013 22:20:34 -0700

Hi Folks. I'm pleased to report the successful completion of our 9th Google Summer of Code! And for only the fourth time ever, all of our students passed! Admittedly we had a small crop this year, but all three accomplished major feats. Most of their work has already been integrated into Nmap 6.40 or our source code repository for the next release. Let's look at their accomplishments individually: *George Chatzisofroniou* spent the whole summer working with Patrick Donnelly enhancing Nmap's web scanning capabilities. We've already integrated 13 of his NSE scripts. They span the gamut from detecting CSRF, XSS, and file upload vulnerabilities to detecting the development framework used on a given web site and collecting all the HTML comments hidden on pages sitewide. We now have more than 450 scripts total and all are documented at http://nmap.org/nsedoc/! *Jacek Wielemborek* worked with David Fifield in adding Lua scripting support to Ncat. This complements Nmap's Scripting Engine (NSE) which has already proven a huge success (see the previous paragraph!). The first feature is the new --lua-exec option in Nmap 6.40. It is similar to the existing --exec and --sh-exec options in that Ncat runs a specified program and redirects its input and output to a network socket. But with those other options you need an executable or shell/batch script which means they aren't portable and often have extra dependencies. Lua-exec uses the same build-in Lua interpreter as Nmap so your scripts will work on Linux, Windows, Mac and more. Jacek's second major feature is a Lua "socket abstractions" system which allows you to control how Ncat does sends and receives using Lua code. Abstractions allow easy implementation of features like transformation of data traffic or even support new protocols that aren't supported by Ncat's core engine. This feature isn't yet merged, but it's working in our nmap-exp tree and we're very excited about it. *Yang Luo* worked with Fyodor on low-level Windows programming to help bring Nmap's performance on that platform closer to parity with our UNIX support. His largest accomplishment was porting WinPcap from Microsoft's deprecated NDIS 5 framework to the newer Windows Filtering Platform (WFP). See http://seclists.org/nmap-dev/2013/q3/591 for pointers to the code and executables. The new system offers better performance and will continue to work if and when Microsoft discontinues NDIS5. We have offered these changes to the WinPcap developers in the hope they will be merged upstream. Yang's other project was finding a way to send raw packets to localhost on Windows. This hasn't worked in Nmap ever since Microsoft pulled the rug out from under us by disabling raw sockets in Windows XP SP2. The good news is that Yang found a way to do this (also using WFP, incidentally) and he produced proof of concept code that you can find it in nmap-exp/yang in our SVN tree. We hope to incorporate this into Nmap so people can their own system on Windows just as easily as they can scan other hosts on the LAN or the Internet. Great work, guys! Both students and mentors deserve a round of applause! And so does Google for making all of this possible! They have spent tens of millions of dollars sponsoring thousands of students to work on hundreds of open source projects. Nmap by itself has mentored 62 SoC students in the last 9 years and some continue as top Nmap developers to this day. If you enjoy Zenmap, the Nmap Scripting Engine, Ncat, Nping, or Ndiff, you're using features developed in a large part by previous Summer of Code students! Cheers, Fyodor PS: For those who are interested, here are our previous success (pass) rates and wrap-up reports: 2013 (3/3 - 100%): [this report] 2012 (4/5 - 80%): http://seclists.org/nmap-dev/2012/q4/138 2011 (7/7 - 100%): http://seclists.org/nmap-dev/2012/q1/542 2010 (8/8 - 100%): http://seclists.org/nmap-dev/2011/q1/708 2009 (6/6 - 100%): http://seclists.org/nmap-dev/2009/q4/148 2008 (6/7 - 86%): http://bit.ly/googleblognmap 2007 (5/6 - 83%): http://seclists.org/nmap-dev/2007/q4/24 2006 (8/10 - 80%): http://seclists.org/nmap-dev/2007/q1/235 2005 (7/10 - 70%): http://slashdot.org/comments.pl?sid=183143&cid=15133184 PPS: Since it is Halloween in my time zone, here is an ASCII witch enthusiastically riding a broomstick: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;-' ___ '-;;;;;;;;;;;;;;;; ;;;;;;;;;;;;-' `'-.`'-. '-;;;;;;;;;;;; ;;;;;;;;;;' ) `\ ';;;;;;;;;; ;;;;;;;;' / \ ^V^ ';;;;;;;; ;;;;;;; __/________\__ ;;;;;;; ;;;;;; ^V^ '--/}}}}}}"}}--' ;;;;;; ;;;;; {{{{{{ aa\__ ;;;;; ;;;;; }}}}} ,___ __} ;;;;; ;;;;; {{{{{\ \_// ;;;;; ;;;;; }}}}//'--u ;;;;; ;;;;; _ .--'`U\ ;;;;; ;;;;; ::::| \ ( _,\\\ ;;;;; ;;;;;; ::::| |===\ \\=\))=======D ;;;;;; ;;;;;;; ::::|_/ `> \\ ;;;;;;; ;;;;;;;;. /__// .;;;;;;;; ;;;;;;;;;;. Y\_\\_ .;;;;;;;;;; ;;;;;;;;;;;;-._ _.-;;;;;;;;;;;; ;;;;;;;jgs;;;;;;-. .-;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; [ from http://www.geocities.com/SoHo/7373/haloween.htm ] _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/ By Date By Thread Current thread: Nmap GSoC 2013 Success Report Fyodor (Oct 31)