 |
SolarWinds makes easy-to-use enterprise IT management software to help IT pros solve problems every day and help to enable efficient and effective management of networks and IT environments.
Join our online community of over 100,000 IT professionals talking shop. Get involved. Gain insights. Share tips and tricks. Visit thwack today!
| |
The Nmap Security Scanner Project has participated in all seven previous Google Summers of Code, and they have been a tremendous success for us and the 54 student
participants! Google even featured our
success
stories and lessons learned in their Open Source Program blog.
This innovative and extraordinarily generous program provides $5,000
stipends to 1,000+ college and graduate students each year to create
and enhance open source software during their summer break. Students
gain valuable experience, get paid, strengthen their résumé, and write
code which will be distributed freely and used by millions of people!
2011 was a huge
success, and we're excited and honored to be participating again
for 2012!
Nmap is a free tool for network exploration or security auditing.
Several project ideas are suggested below,
or you can come up with your own clever
project. Maybe there is a feature that you have wanted for years,
but nobody has yet stepped up to the plate to implement it.
Almost all college and graduate students are elgible, but you need to hurry because student applications are only accepted from March 26 through April 6 (complete timeline).
To apply, see our
SoC page.
We have also written some tips for preparing a great
application. If you apply (or plan to), please join the temporary
Nmap SoC
mailing list to receive announcements. If you have any questions
about your ideas, the best place to post them is
the nmap-dev mailing list
(you
can join
here or read the archives
online). Questions specific to the Nmap SoC program may be sent
to Nmap-dev, or
the Nmap SoC
list, but we recommend Nmap-dev if the post is technical in nature.
Note that there are some basic requirements which apply to all sponsored projects.
While we hope you apply for Nmap, you are allowed to apply to multiple organizations. Doing so increases your odds of acceptance as long as you put sufficient time into each app. Many great security projects are part of the SoC this year, including
The Honeynet Project,
OpenWall,
Nmap Security Scanner,
Tor,
OWASP,
and PacketFence.
While you may submit a proposal for any cool idea your heart
desires, here are some suggestions that we consider extremely
desirable for the Nmap project and its users:
Index
Nmap Scripting Engine—Script Developers (3 Positions)
Key requirements: Know or quickly learn the (simple) Lua scripting language. Have significant network security and/or network administration skills. Experience with the C and C++ languages is a plus.
In 2006, Diman Todorov worked as a GSoC student with Nmap
author Fyodor
to create the Nmap
Scripting Engine (NSE). It has become one of Nmap's most popular
and powerful features, allowing users to write (and share) simple
scripts to automate a wide variety of networking tasks. We now have
more than 340 scripts, all documented at
the NSEDoc Reference Portal.
They run the gamut from simple discovery tasks
like whois
lookups, retrieving
web site titles,
and banner
grabbing, to complex functions
like spidering
a web server to find SQL injection vulnerabilities
and brute
force authentication cracking of MSRPC (SMB) servers. For a fun
38-minute introduction to NSE, see Fyodor and David
Fifield's 2010 Defcon
presentation video.
It is time we make the most of this fast and powerful scripting
system! We need talented, creative developers to identify
useful scripts (through research and community input) and then
implementing them. We already have many candidate script
ideas on our
wiki.
The script developers will also likely write some new libraries
since general code that many scripts are likely to use belongs in
libraries rather than the scripts themselves. Developers will also
help with testing and reviewing each other's scripts as well as those
submitted by the Nmap community. They may also have opportunities to
improve the NSE engine and infrastructure itself (this is where the C/C++ experience
helps).
If we receive enough great applications and sufficient slots from Google,
we would like to sponsor three script developers. Please specify your
preferences among the following development roles:
- Web scanning specialist
This position is perfect for a budding web guru with intimate
knowledge and interest in web-related standards and protocols,
particularly HTTP and HTML. SSL, Javascript, CSS, and XML are
important too. An understanding of common web
vulnerabilities such as SQL injection and cross-site scripting (XSS)
will also help. Tools to look at for inspiration
include Burp Suite and
w3af. Nmap already has
quite a few HTTP scripts that you can find on
the NSEDoc Portal, but many of
them could use improvement and they only scratch the surface of possible scripts. The
web has grown to dominate the Internet, so it is crucial that Nmap have solid web scanning capabilities.
- Discovery scanning specialist
Nmap is famous for network discovery and it already
has 110
discovery scripts. That still isn't good enough for us.
Applicants for this position must enjoy learning about and
implementing a wide variety of protocols. They will also be the go-to
guy (or gal) for any scripts which don't fit either of the positions
above, even if they aren't exclusively related to discovery.
- Vulnerability and exploitation specialist
If you love researching vulnerabilities and devising (and
implementing) scripts to detect and/or exploit them, this position is
for you! This person will follow the vulnerability announcement
forums and decide which ones merit detection and/or exploitation in
Nmap. They will watch what competing vuln scanners and exploitation
tools are implementing, but we also hope to beat many of those tools
to the punch. Malware detection scripts fit in this role too. You can see our current scripts in this genre by
reviewing
our vuln, exploit, auth, and malware
categories.
While script developers may have specialties, they won't focus
exclusively on that single niche. Sometimes priorities or workload
balancing will dictate that they work on scripts or libraries which
don't precisely match their NSE specialty.
Zenmap GUI developer
Key requirements: Python experience and strong user interface design skills.
While Nmap offered the NmapFE front end for many years, it was a
simple wrapper over the Nmap command-line executable and didn't
provide much extra value. In 2005 and continuing in 2006, Adriano
Monteiro Marques was sponsored by Nmap SoC to write a new,
cross-platform Nmap GUI and advanced results viewer. It was eventually
incorporated it into Nmap as
Zenmap and we've
been improving it ever since. We're particularly proud of the
network
topology, host filtering, scan comparison (using Ndiff), and language localization features.
While we're proud of what Zenmap has become, we know it could be
much better. But user interface design is a difficult and subjective
endeavor. We don't have a simple list you can follow for the perfect
Zenmap redesign. Anyone who applies for this role needs to come in
with substantial GUI design skills and some compelling ideas to start
out with. Instead of spending the summer implementing someone else's
design vision, your job will be to come up with and implement your
own. The main focus is on usability, but making the app prettier is
also a plus. Of course you won't just be set loose on the codebase
for three months. We will have regular meetings and discuss design
decisions. You will need to back up your change ideas with solid
reasoning.
To apply for this position, first install and test out Zenmap. It
comes with the Windows, Mac, and Linux packages on
the Nmap download page.
You application should describe, in detail, some of the changes you
would make to enhance Zenmap's usability and aesthetic appeal.
We highly encourage you to include design mock-ups in your application.
Feature Creepers and Bug Wranglers
Key requirements: Strong C/C++ skills. Python and Lua skills are valuable as well.
There are many Nmap bugs and desired features which are quite
important but take much less than a whole summer to implement. Some
may only take hours, while others could take weeks or even a month.
The feature creeper and bug wranglers handle many such tasks during
the summer. This lets them explore and contribute to a wide variety
of the Nmap code base rather than spending the whole summer working on
just one subsystem. The exact tasks won't all be itemized in advance,
but you can look at
the Nmap TODO list for
the current list of pending tasks. If you apply for this task, you
might mention several of the TODO items which you would be interested
in and qualified for. Here are some more ideas:
- Add functionality so that Nmap can do port scans through proxy servers (including SOCKS and HTTP proxies).
- When high-priority bugs are discovered, bug wranglers get on the case and solve them.
Rather than take a specific role (bug wrangler or feature creeper),
the individual(s) sponsored for this position will do some of each.
If you have ideas for small feature-creeping/bug-wrangling tasks,
we'd love to hear about them in your application.
Slacker
Nmap developers are known as some of the most productive in the
open source world. In order to crank out more code, many eschew
luxuries like classes, social lives, sex, and sleep. To
counterbalance all of this planned productivity, we may need some
experienced slackers to spend the summer playing Starcraft II, watching
TV, surfing Facebook, beach trips, and dating. You will report these activities in
a weekly status report so the rest of us can live our lives
vicariously through yours.
Since laziness is a virtue for this position, our normal application form is not required. Just
tell us your best time-wasting story or any other relevant credentials for this critical role.
Your Own Creative Idea!
Key requirements: Creativity
Don't feel constrained to the ideas we have suggested here. If you
are very familiar with Nmap and have your own great idea for
improvement, propose it! There will be dozens of applicants for each
position listed on this page, but your suggestions have less
competition. Before writing a whole proposal, we recommend that you
send a paragraph or two describing your idea to
the nmap-dev list for
feedback. Note that even if we don't accept your project idea (maybe
the timing is not right or it doesn't quite fit into the Nmap
roadmap), we will consider you for other Nmap projects if possible.
We pay close attention to the credentials of every applicant and are
happy to work with anyone with exceptional talent to find a project
which is highly desirable to them and to the Nmap project. So even
submitting your own "long shot" idea is often more successful than cut
& pasting one of the canned ideas on this page.
Community-contributed Ideas
Key requirements: Varies
If nothing yet has tickled your fancy and you don't want to propose your own idea from scratch, consider some of the commnity-contributed ideas on our wiki. Or feel free to add your own ideas there, even if you don't plan to apply for Nmap SoC.
In addition, we have many candidate ideas in the Nmap TODO list.
Ready to apply? Great! Please visit our SoC Application Notes page for instructions.
|
