Re: [RFC] Default NSE Scripts

[Fyodor <fyodor () insecure org>]

On Sat, May 10, 2008 at 04:43:15AM +0000, Brandon Enright wrote:
> Who knows if any of this crap would actually hold up in court.  I
> really don't think any scripts in the default category though should
> also fall into the "askalayer" category.
>
> A user of Nmap takes responsibility for their actions into their own
> hands.  Lets not have the proverbial gun pointing at their foot by
> default though, lets make them aim it there on their own.

I see your point, but I think that many/most scripts have the
potential to annoy the sorts of people would would put out a public
FTP server with anonymous access enabled, and then complain when
people log in.  Also, these scripts won't run with a deafult scan like
"nmap <target>".  Only if you specify scripting with an option such as
-sC or -A.  And anonFTP has run by default (if you're ask for
scripting) since it was added in 2006 and I haven't heard any
complaints about it being default.  So this isn't a change in
behavior.

Maybe what we need to do is document better that -sC/-A are
particularly intrusive and really shouldn't be run without permission
of the target network.

While I don't think I'd want exploits running by default with -sC, I'd
like to have vulnerability checks included so that Nmap can tell you
if it sees a gaping hole.  And many admins don't like folks
vuln-checking their servers without permission.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org