 So, this is one of the laptops, this is one of the PLCs, this controls the reverse osmosis, this is the audit treatment display, so and this runs island-rattling PLCs and something that I figured out was that these PLCs also support Lua, and then the agenda for the day is to introduce Lua, secondly is to introduce the NMAP shifting engine, and finally, you get the ball rolling for future retops. So, these are the contents, I'll talk about the beginning of Lua, why they even made it, and then some popular use cases, like where you can apply what you learned today, and then I'll be introducing Lua for a while, the whole time I'll be comparing it with Python, something which I think I'll reuse, and then I'll be talking about the NMAP shifting engine, and then I'll be showing you some of the stuff. So, Lua was invented in like, like release in 1993, it was released by three Brazilian guys from P.U.C.Rio, and they made this because in 1994, Brazil had trade restrictions, so they couldn't import technology, they needed a data entry language for the biggest petroleum company in Brazil, which was Petrobras, so they came up with Lua, the first version of Lua had types, but now it does not have any types, so these are some popular use cases of Lua, so the NMAP shifting engine uses Lua, if you want to extend wire shock, you can use Lua for it, if you are interested in AI or deep learning, or seven users Lua, recently I figured that there's a library called Fluid.net by Google, which also uses Lua, a lot of games run on Lua, for example, Angry Birds, Crisis, World War, Overcraft, and then a lot of systems, later minute systems like televisions and PLC, printers, autos, they also use Lua, and surprisingly Adobe Photoshop has 1.3 million lines of Lua, also if you are watching movies and systems, you must have used VLC, you can write plugins in Lua, there is Vail. What is Lua? Can you explain what is Lua? I'll get to that, I'll get to that. Yeah, so these are the games that use Lua, like a lot of games, I borrowed these games from Roboto, so what is Lua? Lua is a scripting language like Python, but it's much lighter, so Lua is like Python, but it is faster than Python, so Lua JID is faster than PyPy, and Lua JID is faster than Java, Lua is tiny, so compressed, Lua is at 297 kilobytes, and original Lua is at 1 megabytes, and it's just 24,000 lines of code. Lua is very powerful, and it is very simple to extend, so it has a very nice CAPI, so if you have a program written in C, you can extend it to Lua, and then finally Lua is free, it's under the MITE license. So this is how Hello World looks like on Lua, this is not Python 3, so as you can see comments start with two hyphens, and there are no braces or semi-colons or anything, so it's a very clean language, and if you want MITE comments, you wrap the comments in square brackets, so yeah. If there are any questions, just ask. So this is a much better example, this example basically calculates factorial in Lua, so Lua doesn't care about white space, I have this intended to code, and then how do you find out if a code block is ended? Lua does not have parenthesis, it uses the end keyword, and then similarly for loops, you have the end keyword there, and so I don't need a simple function to read from the standard input, I have to write by default write to standard output, and you can calculate things by using two periods of time. So any questions on this? What's the difference between I over write and print? I over write can be extended to write to standard error or other things I print by default write stored. So any other questions about this? Can you move on? Yeah, so I talked about it, so to concatenate two strings, you always use dot dot, and to do arithmetic addition, you'll be using plus. So Lua is dynamic, so you don't have to specify the types anywhere. Lua is primary type, so if you have to explicitly coerce variables to different types, you can't, the language won't take care of it, and it's duck, so type checking happens on runtime. Finally Lua does not have any lists, tuples, dictionaries, it only has one data structure within the table. It's a pretty interesting data structure, surprisingly it starts from one, it's not zero index, like every other language is zero index. So the creators, they thought that if there's a new programmer, he might be used to starting from one, because we all have programmers here, so we are used to zero, but if there's someone new they come from one way. So they have one way, and if you want to make lists, lists are essentially tables without any keys, so if you're going to put keys they get indexed from one way default. If you put in keys, you can access with them by the key. And Lua has no concept of object orientation, so it has fake object orientation which comes from tables, and every module is written as a table. And like Python, Lua, these things can be in single quotes or in double quotes, but if you want to write multiple lines, you use square brackets. Then in Python, empty lists or empty dictionaries are zero, such values are false, but in Lua only nil can fall the false. And there's some funny things in Lua, for example, if a variable is undeclared, it's nil, so you won't have any naming errors unless you try to index that particular variable. Also in Lua, variables are global by default, so you need to use the local keyword before declaring a variable to make it local to a particular scope. And yeah, plus and dot dot mean two different things, plus is only for arithmetic addition, while dot dot is only for concatenation. And there's only one numeric type, which is the double precision floating point. So something that I discovered recently was that evils can be used for other variables. And so Lua has some syntactic issues. So in Python, if you make a dictionary which has nil, you need to access it like this, while in Lua, you can use the dot notation. You can still access the nil equation. And Lua numbers, unlike Python, are at the same level as C, so the numbers are quite small. So for example, on Python if you calculate the factorial of 900, you'll get the actual answer. While in Lua, you'll get a very small number, which is basically infinite. And Lua has eight data types by default. And the number, spring, function, and thread are understandable. User data is basically user-allocated memory, which you can need to use for arrays or other data structure that you define on your own. I will use the data here. And there is no spring spacing in Lua, you have to use spring runs up. Yeah. Okay, so there are a lot of surrounding errors in Lua. So even if you store something like a 0 or a 1, it gets stored as 1.0. Yeah, so the example is not there. So it depends. For example, you're counting from 0 to 1. It will only count as 0.9 if you use the range function. But if you're counting from 9 to 10, it counts still 10. So there's some rounding there. And so this is a simple example. So the first one is a list. So I've not put any keys there. So it gets 1, 2, 3, and 4 by default. The second one is a simple dictionary. You don't have to put the keys in quotes. Like this. These are simple things in Lua. This is in single quotes and this is in square brackets. It's multi-line. Yeah. This example basically illustrates the difference between plus and double dots. So if it's class, it's always in addition. So 1 plus 1 is 2. String 1 plus string 1 is 2. It's not 11. Yeah. This is like some quotes of Lua. So this is contradictory to numbers. It's concatenated. And if you add two numbers, it's always added, despite whatever form they are in. And yeah, so this is basically a simple sub function for strings basic. So the nearest build bar, if you do 1 to 4, you get all the four letters. So what happens if you do 1 plus 1 plus a? It's an error. Because a cannot be added. It's an error. Okay. Any questions? Any more questions? Yeah. This will be an error. You cannot add non-numbers. Yeah. The output is a number. Yeah. Second one. Yes. Is it the output is a number or a string? The second number is a string. The third one is a number. Yeah. So string 1. So this slide basically shows the different conditional works. So it has a simple while loop, the expression while it's false, sorry, while it's true, it keeps on running and it does whatever is in the block. So again, you have two instead of parenthesis and you have 10 instead of the other parenthesis. And the second is basically a repeat until this expression becomes true. So while the expression is false, it keeps on happening and when it becomes true, the loop stops. Okay. The third one is similar to a Python range function. So in Python, you would write 1, 10, and 1. So it would increment by 1 from 1 to 10. In Lua, you would write 1, 10, and 1 again. And you can have a decimal here as well. And you can have negative increments as well. So it would basically go down. And finally, for example, in Python, if you have a dictionary and you got on Python 2, you use dot items. In Lua, you have to paste. So if there's a table that you use paste, it basically lets you look at the value pair and you can iterate over the dictionary. But if you're using a list and you want to go sequentially, you use iPaths. This is a list of numbers and you would go sequentially in the list. So if you have a list of characters and you know sequentially, you should use iPaths instead. So again, this is a simple if, then, if, and, if, and it's a block. So I've already shown in a statement earlier. This is syntactically implementable. You still need the circular brackets. Sorry. But anyhow, so you're going to have ls, you have ls instead. And ls is simply an l. And every other statement has the same keyword there. Questions? No. There's no order in the dictionary. It's a list, right? Yeah, you get those by default. And when you use iPaths they come out as... They come in an order. So it's sort by key first before it comes to iPaths? Yes. Yeah. I think you missed the bracket in parenthesis in the previous statement. Yeah, I mentioned that. That's a simple module. Everything is a table again. So everything is a table. The score is initially zero. I have a better example towards the future in the future of the case. So I'll show that. This basically shows that everything is a table and everything gets returned as a table. Towards the end of the case. So I have a better example which shows some object orientation later in the case. Also the operators don't have a bang in equal to. You have a delta in equal to for not equal to. And you can't do plus equal to in lower. You have to write a is equal to a plus one instead. And as I mentioned earlier something that you should remember is that two periods is concatenation and plus is addition. Then like Python you can do short circuiting. So two and one and whatever. So not and nor work as it seems as you do in Python. And there's another operator hash. So if you put a hash before any variable you get the length of the variable. So if it's a spring you get the length of the spring. If it's a table you get the length of the table. Moving on. So this is how you do imports in lower. So the first example is basically something like import HTTP as HTTP. The next example is basically import HTTP. So you use a required statement instead of import. And here. So other things about Lua. Lua has no regular expressions in the standard library. But it does have something called Lua patterns. Lua patterns are weaker than regular expressions. They're very similar to regular expressions but you do not have groups in Lua patterns. You can't match big groups and there are some other weaknesses as well. But to circumvent that there are some mixed libraries. So if you use LPEG or PCRE or like we mentioned there you can have regular expressions. Lua also does not have continue. But you have break and for some reasons the creator decided to introduce both to Lua 5.2 and now you can use both to have the effect of a continued statement. And Lua is passed by value. But if it's a table the reference to the table gets passed as value. So if you make changes inside a function and changes outside also get restricted. And Lua functions are truly anonymous. So it's better for function programming because you have truly anonymous functions. And yeah, so if you go on this URL you will see a nice explanation of why Lua does not have a continued statement. So like Python you can have multiple returns and multiple assignments. In Python if you use star list the data structure gets expanded while it gets passed. In Lua you can do that using anpa. So if anyone has done javascript before in Lua you can also display functions like you do javascript. So r is equal to function a comma b return a plus bn. So this is basically a one name function and that function would from now on add numbers. And I'll explain the fourth point later in the example. Then parameter passing is polished. So in Python if you want to name a parameter you can do that. In Lua you can't do that. So how do you do that? So instead of having the names in the function you have a table passed and you can reference points in the table to get the particular values. So instead of having different options as arguments you have an options table and you can use options.t a, options.t in your function. And for real number of arguments Lua uses three dots as the main argument in the function. And something that is basically discovered in Python is that you have four else loops. So if the loop gets broken in between the other part of the sequence you don't have anything like that in Lua. Moving on. So this example basically shows how multiple arguments work. So three dots basically means that there are a number, like there are various arguments. So in the function that you want to do is print it together. You use three dots. And how do you access the arguments? You access the variable argument. So it basically sequentially goes through argument and then when it comes to everything the print result and when it comes to the print result. So it uses like this. So this example basically shows you how you write a simple object in Lua. Again everything is a table. So a count is a table. This is a constructor. So if the user does not pass a table and say Lua creates a table by short circuiting. So if this is nil this gets created. And then Lua has meta tables and meta functions which allow a lot of things. So though Lua is a tiny language you can have meta tables and meta methods that can really extend Lua. So for example if you want to make addition of two tables possible. You would add a meta method to the meta table. So adding two data structures or comparing two data structures or subtracting two data structures. This can be achieved by using meta tables. And so basically self dot index equal to self. It means whenever I look up the self object it will only go through self. It will not go through anything else. And then it returns O. This is the constructor. So this basically shows what I wanted to talk about. So using colon is basically simply showing for writing dot in passing self. So if you use colon, self gets passed implicitly. But if you use dot you have to explicitly mention self. So this function is basically the withdraw function of the count object. And if you pass the amount it gets deducted from your values. And towards the end it returns the count because the object has to be returned. So this basically shows you how to create a new object, a new sort of an object. So you use the constructor, you pass the balance. And you can call the withdraw method by either using the colon which looks better compared to the full stop. But they go the same way. So this example basically shows how Lua is passed by value. So in the first instance the table contains three numbers. One, two, and three. But the function changes the first index. It changes one to ten. So if you address ten it becomes one, it becomes ten. So it's still passed by value because the reference to the table gets passed as value. It's similar to Python. And then if it's a string it will not, the value of the string gets passed. So you still get hello the variable does not change. And if you do that the function also it does not change because instead of twenty five it still prints ten. So this basically shows is a simple example of function programming in Lua. So infix takes an operator. So if you input plus it returns an adder. So if it's plus it returns an adder. But the function has no name there. While in Python you will have to define the name of the function and this will be lambdas. So in the second case if you enter a minus you get a subtractor and if you enter something very random it returns the function that has nothing. So this is a simple example of function programming in Lua. And then here's an iterator. So this here is a closure. So if you create the instance of an iterator these values still get remembered. So every time you go through the next value of the iterator it just returns the value from the table. So this allows you to write the popular four hints in touch. So this is the iterator and here it just goes to the iterator. Four takes in the iterator and it prints x for your instance. So in this case the numbers get printed. Okay so talk is happening very fast. Any questions? No questions okay. So I'll talk about the NMAP scripting engine now which is Lua use case. So NMAP is a popular tool used by security professionals across the globe. It allows you to run code scans. So since 2006 NMAP has the NMAP scripting engine which basically automates a variety of networking tasks. When they were designing the NMAP scripting engine they had four things in mind. Vulnerability detection, backward detection, network discovery and expectation and it achieves all of it. Currently we have around 110 libraries and more than 5 minutes script written in Lua and yeah so it's still around the same efficiency as you would expect from NMAP. So if there's a student here from March who is supposed to go through the hour you can apply to who is supposed to go through the court and you can get the court with people at NMAP and you can get to stipend of $6,600. So it's a really opportunity for a student. Now there are some permanent libraries that ship with NMAP. So the HCTP library basically allows you to make requests and get what they need to whatever. Standard NSC library basically allows you to it basically contains utilities. So if you want to do debugging you can use standard NSC. If you want to find if a TV contains a particular value you use standard NSC to find all the keys of a particular TV if the function would be standard NSC. So similar functions are all standard NSC. Then flat symbol is basically an XML parser. It's not DOM based. It's SACS. So as you go through the document it evaluates it does not have a memory overhead. And then JSON library is like bytes in JSON library. Then UR does not have a string buffer in the standard package. So SCRBuff is a string buffer. And NMAP steps, the run on things called port rules. So there are port rules, host rules, pre-rules and host rules. So when NMAP is running and it finds a host is the port. So for example if the port rule is set to something like HCTP the script engine will only call the script when there's any HCTP service running behind the port. While a host rule would match the host and it would not care about the host at all, pre-rules scripts are run before a host is scanned and host-rules scripts are always run. The four kinds of scripts run before four different rules. So I'll just show you HCTP. So at NMAP we leave a documentation so there's a lot of documentation here that I'll skip. So like every program, the program starts with some inputs then it sets the environment and this basically it has open SSL, if the system has open SSL it will use open SSL or else it will not, all those things will result into an error. Then there are some functions which are local, so these functions cannot be addressed. You cannot do HCTP.takeCoffee because it's a local function. And everything is very well documented and so this function is also local, I'll get to a function which is not local. So this function basically allows you to perform a simple get request. So the arguments are the port, the path and options. And again at NMAP we use low adopt. So this style of commentary is essentially converted into documentation and every time you push a script to the repository the documentation gets updated. So I wish this documentation gets generated from the script itself using low adopt. So every function which is documented will have some documentation here. So this is a simple statement that it uses and then this is, I think I talked about almost all of the same tasks here. I'll demonstrate eventually. HCTP method is a simple script that finds out the methods that a particular server supports. So again the script starts with some inputs and we have the NEC syntax here. So we've got some inputs and then the description of the script. So the description basically tells what the script does. And then there's some documentation. Again this is low adopt so you can see it online. And every script has an author multiple authors and then NMAP uses the GPA scripts of categories. So this is the default in CS script because it's not inclusive, it's not doing anything wrong. We're just pinning the web server and then this is the local function. So if you see then you must have seen that every C program has a main function. So the main function for NSE is basically the action function. So whenever the NMAP scripting engine finds that a port is running NHCTP web service it calls the action function and the action gets performed. So I have a simple example here. So I'm running IT webcam on this phone. So I'm running IT webcam on this phone and I know a couple of things about the webcam. So first of all it's an IT webcam so it has IT webcam in one of its centers and it's running on port 8080 so I'll be specifying I'll be telling NMAP to only check port 8080 and then it's serving video one slash video so that path should not be 404. So I'll just write a simple script that does that. Yeah. Okay, one thing exists. This script has a description so it's a strategy as well so the strategy will be safe because I'm not going to use it and it could be a default script and I've got to find the discovery here. Yeah. Okay, so we forgot the inputs because we need HTTP library to make web requests the short code library allows you to create port rules in a short manner so you don't have to write functions because the functions for default services are already written but the script needs a port rule so you need the action which is basically the function ports and ports and arguments and then we know a few things about the server rate. We know that it's serving slash video with the video so it's serving in slash video so that is something that can be used so HTTP.get I just showed you how it's structured so port and slash video. I'm not passing options so it gets an empty table by default and there are some conditions on the response so its response of status exists and if the status is not equal to again a tilde instead of a shagan and you have it's not equal to the emphasis of our interest and then what we do is the header should also exist and we just look for ip with cam in every header so how do we do that so p-term of value in pairs string.match is a standard Lua function which basically matches strings you can enter Lua part on jsy and so what we want to match header width by table so any questions about the script I think it's pretty safe if you can enter so I'll just run the script now also it's running on the same network as us only 69.80 so I'm specifying that it should only scan port 8080 and these ports should be open and the address space is 19.26 minus minus minus it basically allows you to record the script this script does not read it because you don't have documentation, you don't have the author's name so if you want to make a script to read it it should ideally look like this this is everything this has documentation and the description is accurate and you need to know the license which is the script you can discover the device and you have the webcams here so we found a webcam here so let's try to access the webcam so there's a password so NMAP has a script to find passwords so how do we do that so we look at the script there is a script called htbgroup which essentially goes through this password wow and at NMAP we try to have the data set relevant to the industry so it has anyone tried this website called have I been pwned? so that website basically shows you if you have been pwned or not so anyway there is a data breach like this researchers they perform analysis of what passwords are very common what user names are very common so what you see is this first so this is a a lot of passwords here it's a very long list it just goes on and on if you are interested in lists like this there are I hope my password is not clear so this Daniel Meisberg in security researcher in me keeps a lot of passwords so you have 10 million passwords you have 10,000 most common passwords and you have a lot of passwords pretty friendly so you can basically extend NMAP so this will take a few passwords okay so this is the top 100 but that 10 million passwords as well these are 10,000 most common passwords yup so these are the faster thing so I just take part in the script it should be brewed so I try for example yeah so again I specify the name of the script which is it should be brewed and this script does not say it's it's inclusive as it says it's inclusive as a food for script so I run it on this particular because I know the post address now and then I will pass to it first only so as soon as I get to the first password I run so it's running http brewed against over 8080 because when the person wrote the script he did not have http here I have to extend the number of quotes because earlier it was just this so it would not open h0 so because the scripts they are not so you can edit them to your script so it started it through here and yeah so it found the password it's wave and orange it's part 2 so we can work this out so yeah that was the one any questions? so far so moving on so some interesting topic is object oriented programming yup I put the password here so I knew the password it was one of the passwords in the 10,000 so yeah that was in math so something that you could read about is object oriented programming with Lua because I did not really cover that the main thing about Lua is meta tables and meta methods it looks scary initially but if you are writing a Python class you must have used underscore underscore str underscore underscore so that if you get it as a string instead of the Python things so to do that you use the meta method for two string so whenever you print a particular object you get a pretty output and not something very disgusting so other things like comparing different objects for example if something is greater than the other object you implement such things using meta methods and meta tables and Lua patterns they are like regular expressions but they are much weaker I think you can quickly pick up some Lua pattern big way, in 20 minutes you will have enough Lua patterns to start reading pattern Nmap uses Lua's CAPI to actually control Lua I have not done that so I have not talked about it Lua has four routines which are safer threads but again I have not used them but I have seen them in the good ways too so that's pretty interesting I had once played on a treatise in Closures but that was in reading and he has some really standard table like table, IOS, string and the ways and the names are very self-connected so support Python has 700,000 patients on stock workflow Lua has 12,000 patients so a lot of our work depends on stock workflow so whenever you run into an error you try to find it on stock workflow but Lua you can't do that for Lua you have to go on IRC you have to connect to three nodes and then hash Lua a lot of people on hash Lua always really win and then if you are interested in developing with Nmap you can join hash in Nmap and three nodes or talk to me and if you want to link to this presentation it's at tinyurl.com each Lua and Lifu is an amazing Lua developer so in Python you have something created by Lifu so he creates things in Lua which allow you to do a lot with Lua he creates a lot of packages in Lua JC Johnson does a lot of work with Torch 7 so if you are interested in Nmap you can follow him and if you want to talk to me I am at anomni.diatomchimni.com so that's basically from the anomni from the matrix that's me and my website is at can.nap so I am human questions are they considered or are they considered or are they considered yes yes it's very very troublesome so for that Nmap has something called strict so whenever you write a quote it initially checks if the variables exist or not so to get by these errors we have something in place but in the Indian language you can make a lot of mistakes and it's still done so for example it prints in Lifu but if you think that H is a people and it has a name there it will result in Canada so it's a very Indian language and there are some problems that are raised I don't know why they decided to go with photo statements because no one uses photo statements but they have such things in Lua but close so that means so when you say about having the strict it's equivalent to the possibility because I am not familiar with code but you can have strict warning if you have in case you think that it's in the category packages like what's the alternative of lower rocks it's for lower rocks cycle I haven't done a lot of AI with Lua it's still not scientific programming so I don't know the alternative but some popular so do I machine learning stuff there's a lot of machine learning there's a lot of artificial intelligence in Lua so you can see the trending repositories here so for example top 7 by Facebook it's pure Lua so a lot of neural networks are written in Lua so I don't know how this happened but people at the AI community picked up Lua probably has something to do with what they do yeah which ID do you use? my get-up ID ID I use so many types it's nothing has it worked in Lua? do you have a code in Lua? I don't know there's a Lua ID though I've never used a Lua ID so it looks like it's used for Lua I don't know I usually use the same type of way of measuring isn't there a GUI interface for Lua? an ID a friend name to make friend names probably has Lua ID a GUI it's for Lua probably the activity I need to do is this Torch has a GUI so you can make GUIs so I was saying that games are written in Lua it's not that entire games are written in Lua but the hard part it's written in C and Lua basically connects the hard parts but if you're interested in game programming where is Lua Lua in which you can write games so you can write games, indie games in Lua so that's I think it's better than any other questions? it's better than Pi it's better than Pi game it's very popular people need to know about it which demonstrates it's not in Torch army it's in Lua it's from the Lua Rock I don't have Lua Rocks because I'm usually developing for Nmap so I just put the library in the and it selects when you clone Nmap, all the libraries are usually there they don't have it but Lua itself has it it's not a public manager let's just look at it in Lua a new public is so it's sorry use Lua to write scripts for the Nmap scripting engine so this script essentially it's written by me but it finds vulnerabilities in elastic search so I write scripts for the Nmap scripting engine there are some other scripts as well so this script essentially enumerates authors from NSV and library so I write scripts for the Nmap scripting engine that's what might mean and I think it's good I would like to know do you want to be used to control this? yes so I was looking at this earlier so I think National Instruments has PLCs which can run Lua but I have no idea I can't suggest you any other questions?