Feature #12963
openRun nmap scans in the background
0%
Description
NMap package cannot actually run from gui because of nginx timeout
This patch adds the following features:
- run nmap in background and output results to /root/nmap.result file
- do not start a new nmap session from gui until last one is completed
- add a results tab to get the last log output from nmap
- show the time of last nmap scan completion (start time is displayed by actual command output)
A github commit was pushed and linked in next comment
Files
Updated by Phil Wardt almost 3 years ago
- File 01-scan.JPG 01-scan.JPG added
- File 02-scan-exec.JPG 02-scan-exec.JPG added
- File 03-scan-wait.JPG 03-scan-wait.JPG added
- File 04-results.JPG 04-results.JPG added
Github commit, tested with screen shots:
https://github.com/pfsense/FreeBSD-ports/pull/1148
Note: it properly supports too big files like the packet capture command: will display a warning with path to the log file to download
Updated by Phil Wardt almost 3 years ago
- File nmap.patch nmap.patch added
Add a working test patch that can be copied into System Patches package:
Updated by Phil Wardt almost 3 years ago
- File nmap-complete.patch nmap-complete.patch added
- File 04-results-refresh.JPG 04-results-refresh.JPG added
- File 05-results-complete.JPG 05-results-complete.JPG added
- File 06-results-none.JPG 06-results-none.JPG added
Phil Wardt wrote in #note-2:
Add a working test patch that can be copied into System Patches package:
Added option to refresh/delete scan results log:
- if scan in progress: display refresh button
- if no scan results: no button is shown
- if scan results are present and no scan is running, offer clear scan results button
New patch file attached
Updated by Phil Wardt almost 3 years ago
- File nmap-complete.patch nmap-complete.patch added
Phil Wardt wrote in #note-3:
Phil Wardt wrote in #note-2:
Add a working test patch that can be copied into System Patches package:
Added option to refresh/delete scan results log:
- if scan in progress: display refresh button
- if no scan results: no button is shown
- if scan results are present and no scan is running, offer clear scan results buttonNew patch file attached
A last one with a small optimisation: use php file_get_contents instead of system calls
Updated by Phil Wardt almost 3 years ago
Github link again
https://github.com/pfsense/FreeBSD-ports/pull/1148
Updated by Jim Pingle almost 3 years ago
- Tracker changed from Bug to Feature
- Project changed from pfSense to pfSense Packages
- Subject changed from Fix NMap timeout when started from GUI to Run nmap scans in the background
- Category changed from Package System to Nmap
- Assignee deleted (
Viktor Gurov) - Release Notes deleted (
Default)
Updated by Phil Wardt almost 3 years ago
Updated by Phil Wardt almost 3 years ago
Updated by Phil Wardt almost 3 years ago
Updated TAB and Button names from ...log to "View Results"
Patch attached above
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
Updated by Phil Wardt over 2 years ago
Standardize nmap text in description: NMap -> Nmap
https://github.com/pfsense/FreeBSD-ports/pull/1148
Updated by Jim Pingle over 2 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Jim Pingle
PR merged, thanks!
Updated by Jim Pingle over 2 years ago
The Makefile needed an additional fix or it wouldn't compile: https://github.com/pfsense/FreeBSD-ports/commit/d34af18c95d6a45176d010648d1ad6991d8506a7
Updated by Phil Wardt over 2 years ago
- File 08-delete-icon.JPG 08-delete-icon.JPG added
Again, noticed the delete icon resource
https://github.com/pfsense/FreeBSD-ports/pull/1152
Updated by Phil Wardt over 2 years ago
- File 02-Wait-2.JPG 02-Wait-2.JPG added
- File 02-Wait-3.JPG 02-Wait-3.JPG added
- File 03-Results.JPG 03-Results.JPG added
- File 01-Start.JPG 01-Start.JPG added
- File 02-Wait-1.JPG 02-Wait-1.JPG added
- File 03-Results-errors-only.JPG 03-Results-errors-only.JPG added
- File 03-Results-with-errors.JPG 03-Results-with-errors.JPG added
- File nmap_scan-v15.patch nmap_scan-v15.patch added
After the last nmap changes, I wanted to harmonize the package with "Packet Capture"
https://github.com/pfsense/FreeBSD-ports/pull/1154
Source of nmap_scan.php followed packet capture php source and I made it a bit more structured
I also added a few features
Here are the log changes:
nmap command:- replace deprecated scan options (-sP)
- use nmap built-in -oN summarized output format for results log
- allow custom scan options
- add support for IPsec and localhost interfaces
- for -d option to no more allow deprecated options
- use same tab for all operations (harmonize gui with Packet Capture)
- allow stop of running nmap processes started by gui
- display error messages and command errors in a results error field
- allow refresh results without stopping scan
- default append to results log
- properly summarized nmap log using -oN option
- properly display the full command in output file using -oN option
- hide detailed info in spannable tool tips
Images attached
Patch file attached: for testing, access with your pfsense.address/nmap_scan.php
Updated by Phil Wardt over 2 years ago
To disable any code injection risks:
- input is matched against a white list allowing only alphanumeric, spaces (exclude tabs using specific 040 pattern), dots, - and _ chars
- "-d" option is forced on nmap to disable any deprecated options on version upgrades
- "-o" output command option is disabled
https://github.com/pfsense/FreeBSD-ports/blob/654af55a3208ea8c9aacf8f0a2618ab52f74206f/security/pfSense-pkg-nmap/files/usr/local/www/nmap_scan.php#L67
I am not sure if this is considered enough.
If not, I can disable the custom input fields and maybe just add a few useful scan methods and command options like traceroute. It will become much more useful than current implementation
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to Pull Request Review
Updated by Phil Wardt over 2 years ago
- File 01-Start-options-syntax.JPG 01-Start-options-syntax.JPG added
- File 02-Start-scan-methods.JPG 02-Start-scan-methods.JPG added
- File 03-Results-Error.JPG 03-Results-Error.JPG added
- File nmap_scan-v18.patch nmap_scan-v18.patch added
I modified the code to disable any custom commands.
This is safer since nmap already changed in the past the -o option syntax and could do again in future.
I added a few more useful scan methods, ports syntax support, multiple hosts as per nmap syntax, and a few more options.
New screens attached
Patch file attached: for testing, access with url pfsense.address/nmap_scan.php
Updated by Phil Wardt over 2 years ago
- File nmap_scan-v19.patch nmap_scan-v19.patch added
Updated patch to fix this:
- only kill nmap process using the output file created in GUI
- code formatting
Updated by Phil Wardt over 2 years ago
- File nmap_scan-v20.patch nmap_scan-v20.patch added
- File Start.JPG Start.JPG added
Add No DNS Resolution option for faster scans
Should be completed
Attached patch for pfsense 2.6.0
Updated by Phil Wardt over 2 years ago
- File nmap_scan-v21.patch nmap_scan-v21.patch added
I squashed commits since the last review
I reviewed and cleaned up some code readability
Updated the attached patch with the small code cleanup, no change in function
Updated by Jim Pingle over 2 years ago
- Status changed from Pull Request Review to Feedback
Merged to devel for testing in snapshots.
Updated by Danilo Zrenjanin over 2 years ago
Tested the package against:
2.7.0-DEVELOPMENT (amd64) built on Tue Apr 26 06:13:40 UTC 2022 FreeBSD 12.3-STABLE
The installation process went smoothly. I tested the package functionality and haven't noticed any issues. I'll leave it in Feedback status for one more round of testing.
Updated by Marcos M over 2 years ago
Looks good from the testing I've done. Only suggestion I have is that the results file may be best placed in /tmp
.
Updated by Phil Wardt over 2 years ago
Marcos Mendoza wrote in #note-24:
Looks good from the testing I've done. Only suggestion I have is that the results file may be best placed in
/tmp
.
It was originally, like "Packet Capture" too, in /root. Not sure if it is for privacy ?
drwxr-xr-x 8 root wheel 20 Apr 14 23:48 root
drwxrwxrwt 4 root wheel 48 Jun 6 21:53 tmp
Let me know if you want me to push an amend with results put in /tmp
Updated by Marcos M over 2 years ago
I can't think of a privacy issue for either - both locations are readable by everyone. The Packet Capture page is in need of review as well, but that's a separate issue.
Updated by Phil Wardt over 2 years ago
Marcos M wrote in #note-26:
I can't think of a privacy issue for either - both locations are readable by everyone. The Packet Capture page is in need of review as well, but that's a separate issue.
Since it was merged in devel, should I commit changes to put results file in /tmp
? Or it is fine for now to be merged in other branches ?
I am not used to the commit way of pfsense
Since the original commit was merged in devel, the pull request was closed also