Interview: David Fifield
David Fifield will give a talk about The Nmap scripting engine at FOSDEM 2010.
Could you briefly introduce yourself? And how are you involved in the Nmap project?
My name is David Fifield; I'm a free software programmer from Denver, Colorado, USA. I've been a GNU/Linux user and free software advocate for over 10 years. I work on the Nmap security scanning program.
I handle a lot of different tasks for Nmap. Much of this is maintenance coding, fixing bugs, and answering questions on the nmap-dev mailing list. Two important qualities in a security scanner are speed and accuracy, so a lot of new development work is devoted to those two things. For instance we recently did a large-scale survey to determine which probes are most effective at finding live hosts over the Internet, and used that to choose new, more accurate default host discovery probes. Nmap has a lot of contributors, so much of my time is spent reviewing and integrating submitted patches. I also help develop the companion programs that ship with Nmap: the Zenmap frontend, the Ncat socket program, and the Ndiff scan comparison tool.
What will your talk be about, exactly?
The talk will be about the Nmap Scripting Engine, or NSE. This is an embedded Lua interpreter combined with networking libraries that have access to Nmap's internal data structures. After running a port scan, the scripts you select will run to get more information about the target. We have some simple scripts that do things like check for a readable /etc/passwd on a web server or get an SSL server certificate, and more complex ones that look up AS numbers, check for Windows vulnerabilities, or list NFS exports. There are now over 75 scripts.
What do you hope to accomplish by giving this talk ? What do you expect?
Even some of those who know about Nmap aren't aware of everything it can do. I hope that I will introduce the audience to something that is new to them. Another goal I have is to encourage new developers and script writers, so my talk will cover technical details of script operation and which files you need to know about.
NSE is a good environment for vulnerability and exploit research. A proof of concept vulnerability scanner can easily become a production scanner because it's already tied to a port scanner and a parallel sockets engine. I hope to make security researchers aware of this potential.
Why did you decide to contribute to Nmap?
I was introduced to Nmap in a computer security class in college. The first time watching the OS detection work was an amazing experience. I wanted to assist with a program whose name people would recognize, one that I had used personally to good effect.
What did you implement for your Google Summer of Code project in 2007?
My title was "feature creeper/bug wrangler," which means that I was responsible for designing and implementing several small features and fixing bugs as they were reported. Although I had used Nmap before, I was a newbie with the source code, so I started with trivial stuff like showing where data files were loaded from. I integrated about 1,200 OS fingerprint submissions from our online for into the OS database. My biggest job was to migrate the host discovery code from a special-purpose scanner into the general-purpose port scanning code. That doesn't sound exciting, but it gave me experience with network performance testing and led the way for future speed and accuracy improvements.
Only one year after you worked as a student in GSoC, you saw the other side and served as a Summer of Code mentor. How was that experience?
It's quite different being a student and a mentor. As a student, you have all these jobs to do and you're working furiously because you want to make a good impression. Mostly you can just work independently, giving regular reports, and check the work in when it's done. As a mentor, in contrast, I learned how much work it is just to keep track of what your students are up to. It's a big change from just getting a list of jobs to do to having to prioritize several jobs and match them with people's skills. I don't get as much work done when I'm mentoring, but it's worth it because the students are accomplishing things, and we're helping the future of free software by giving them real-world development experience.
Which new features can we expect to appear in Nmap in 2010?
Inside the Nmap source distribution is a file called docs/TODO that is a rough outline of future plans. I can't promise that any of these will be done in 2010, but some of the big things from the list are scanning through proxies with Nmap and support for making SSL servers out of arbitrary programs with Ncat. NSE is growing and growing, so you can expect more scripts and libraries. Of course maintaining the service and OS detection databases is an ongoing process, and we'll have new entries for whatever OS revisions or new services appear in 2010.
Have you enjoyed previous FOSDEM editions?
This year will be my first year at FOSDEM.
This interview is licensed under a Creative Commons Attribution 2.0 Belgium License.