Nmap Development mailing list archives
Re: [RFC] Default NSE Scripts
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 10 May 2008 04:43:15 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Fyodor. I have a few comments below. I think this topic is hard to discuss without sounding confrontational. These are my opinions alone and are meant constructively. Text has a way of concealing a well-meaning tone. Please read the tone of this email as 100% friendly. On Fri, 9 May 2008 21:08:57 -0700 or thereabouts Fyodor <fyodor () insecure org> wrote:
* anonFTPThis logs into the FTP server. It may be hard to argue that port scanning is a crime but it's easy to argue that under the right circumstances, logging into a FTP server is unauthorized access.Since the point of anonymous FTP is to allow unauthenticated access, it would be pretty lame to argue that it is unauthorized access, IMHO. If you don't want to allow the public acccess, use a username/password. Some search engines index anonymous ftp content. But at the same time, I don't think people should assume that doing a default script scan against some target machine/network without permission is OK. The scripts in general are much more intrusive than a simple port scan, as you've noted. Currently, the default is to run scripts in the "intrusive" category (as well as "safe"). Still, we don't want anything too dangerous running as default. A metasploit-style exploitation script is no-go, for example.
First I'll start of by saying that I don't disagree. The problem though is that I often I've hear argument "just because the door wasn't locked..." with regard to passwords not being on services. All too often people that have do business making or weighing technical decisions are involved in the process anyways. To the rest of us, arguing that logging into anonymous FTP is unauthorized access is ridiculous. To someone looking for any excuse to prosecute you though, it's more ammunition than I'd like to give (by default anyways). Here is another example. How many of us think privacy notices like the one below are ridiculous: "PRIVACY & CONFIDENTIALITY NOTICE: This message is for the designated recipient only and may contain privileged, confidential, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of an email received in error is prohibited." Probably all of us. Will one of these hold up in court? Maybe. People still feel a need to "protect" themselves by putting them in their signature. These privacy notices are little different than the various FTP banners you see on public FTP servers like this one: 220-------------------------------------------------------------------------------- 220-THIS IS A PRIVATE COMPUTER SYSTEM AND IS FOR AUTHORIZED USE ONLY. 220- 220-Any or all use of this system and all files on this system may be intercepted and monitored. 220- 220-Unauthorized or improper use of this system may result in disciplinary and/or legal action. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. 220- 220-LOG OFF IMMEDIATELY if you are not an authorized user of this system or do not agree to the conditions stated in this warning. 220-------------------------------------------------------------------------------- 220- 220 <hostname> FTP server (Version: Mac OS X Server 10.5.5 003 - +GSSAPI) ready. The wording of this banner suggests that logging in alone is agreement to the "terms". Who knows if any of this crap would actually hold up in court. I really don't think any scripts in the default category though should also fall into the "askalayer" category. A user of Nmap takes responsibility for their actions into their own hands. Lets not have the proverbial gun pointing at their foot by default though, lets make them aim it there on their own. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkglJ+oACgkQqaGPzAsl94LjSwCdGrF1UBl7BNyRnmJfhb9cbphS Qv4AoLDOZ19QvYLl3RtW5k8VdCJNlZgb =iF0i -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [RFC] Default NSE Scripts Kris Katterjohn (May 09)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Brandon Enright (May 09)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Brandon Enright (May 09)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
- Re: [RFC] Default NSE Scripts Fyodor (May 10)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
- Re: [RFC] Default NSE Scripts Daniel Roethlisberger (May 12)
- Re: [RFC] Default NSE Scripts Arturo 'Buanzo' Busleiman (May 12)
- Re: [RFC] Default NSE Scripts Fyodor (May 12)
- Re: [RFC] Default NSE Scripts Fyodor (May 12)