Nmap Development mailing list archives

Re: [NSE patch]

From: David Fifield <david () bamsoftware com>
Date: Mon, 15 Sep 2008 00:51:32 -0600

On Wed, Aug 27, 2008 at 12:54:45AM +0100, jah wrote:

On 26/08/2008 01:59, Fyodor wrote:

One problem is that when I use this in combination with version
detection, the NSE script fails to get results:

./nmap -sV --script scripts/netbios-smb-os-discovery.nse 192.168.0.4
[...]
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 00:0C:29:FA:6E:BD (VMware)
Service Info: OS: Windows

Host script results:
|  Discover OS Version over NetBIOS and SMB: OS version cannot be determined.
|_ Never received a response to SMB Setup AndX Request
|  Discover OS Version over NetBIOS and SMB: Windows XP
|_ Discover system time over SMB: 2008-08-25 19:56:53 UTC-7

I've noticed this too and I think that because the script is in the
version category it's actually called twice when you specify it by name
and with -sV:

SCRIPT ENGINE: Matching rules.
SCRIPT ENGINE: Will run C:\Program
Files\Nmap\scripts\netbios-smb-os-discovery.nse against 192.168.1.1
SCRIPT ENGINE: Will run C:\Program
Files\Nmap\scripts\netbios-smb-os-discovery.nse against 192.168.1.1
SCRIPT ENGINE: Running scripts.

So aside from the issue in the script, perhaps NSE should prevent a
script running twice when a version category script is called by -sV and
by name?


I made a change in NSE to prevent the script from being loaded twice.
Previously the initialization code only checked for duplication while it
was reading script.db; now it checks any time a file is loaded. The
check is keyed on the script's file name, so you can fool it with
something like --script=script.nse,/usr/share/nmap/scripts/../script/script.nse.
But --script=script.nse -sV with script.nse in the "version" category
will no longer run script.nse twice.

I haven't figured out why the script gives bogus results when it is run
twice yet.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[NSE patch] Ron (Aug 25)
- Re: [NSE patch] Fyodor (Aug 25)
  - Re: [NSE patch] Ron (Aug 25)
    - Re: [NSE patch] Fyodor (Aug 26)
    - Re: [NSE patch] Ron (Aug 26)
  - Re: [NSE patch] jah (Aug 26)
    - Re: [NSE patch] David Fifield (Sep 14)
    - Re: [NSE patch] Ron (Sep 15)