Nmap Development mailing list archives
Re: Safe and Intrusive Category confusion
From: Fyodor <fyodor () insecure org>
Date: Mon, 28 Sep 2009 21:17:32 -0700
On Sun, Sep 27, 2009 at 12:39:52PM -0600, David Fifield wrote:
On Wed, Sep 23, 2009 at 03:28:11AM -0700, Fyodor wrote:Right now we have 20 scripts which aren't in "safe" or "intrusive". Does anyone want to go through this list (reading the nsedoc and/or script source) and add a short comment for each as to whether you think it should be "safe" or not (and why) and then send the commented list back to nmap-dev for discussion?
I guess I will kick this off then. Anyone should feel free to send comments if you disagree or just want to further discuss certain scripts. I'm using the definition from http://nmap.org/book/nse-usage.html#nse-categories: Scripts which weren't designed to crash services, use large amounts of network bandwidth or other resources, or exploit security holes are categorized as safe. These are less likely to offend remote administrators, though (as with all other Nmap features) we cannot guarantee that they won't ever cause adverse reactions. Most of these perform general network discovery. Examples are ssh-hostkey (retrieves an SSH host key) and html-title (grabs the title from a web page). Here are my thoughts about each of the 20 scripts which currently aren't in either "safe" or "intrusive": asn-query.nse:categories = {"discovery", "external"} I think this one should be safe. It is an external, but that is a different issue and already reflected in the "external" categorization. auth-spoof.nse:categories = {"malware"} This is safe. It just connects to an identd server and reads for a reply. daytime.nse:categories = {"discovery"} This should be safe. It uses a simple UDP service as intended. dhcp-discover.nse:categories = {"default", "discovery"} I tend to feel like we should only have "safe" scripts run by default. So we either have to put this in the "safe" category, or remove it from "default". I'm on the fence with this one, but I think I very slightly prefer considering it "safe" since it is unlikely to cause any major problems and we haven't heard complaints about it and the information it provides is very usefu. finger.nse:categories = {"default", "discovery"} I'd add this to "safe" since we've had it "default" for a long time and never heard any complaints. http-favicon.nse:categories = {"default", "discovery"} I'd say this is safe, and being in the default category reflects that. http-headers.nse:categories = {"discovery"} This one is safe - just makes a normal request. http-malware-host.nse:categories = {"malware"} This one is safe too, just looks for a 302 response to a request for /ts/in.cgi?open2. http-trace.nse:categories = {"discovery"} I'd say this is safe--it just sends an HTTP TRACE command and shows the header fields which were modified in the response. http-userdir-enum.nse:categories = {"discovery"} Right now we only have 10 entries in usernames.lst, so this is not too intrusive. But I expect that we'll increase the size of usernames.lst, so I suggest leaving this out of safe for now, just as we've left it out of default. iax2-version.nse:categories = {"version"} This script is generally only run as part of version detection, so I'm not sure there if there is any value in labelling it with the "safe" category as well. So I suggest leaving it as is unless someone expresses a desire to have it in "safe". imap-capabilities.nse:categories = {"default"} This seems safe enough. irc-info.nse:categories = {"default", "discovery"} This one is on the edge, but since we decided it is safe enough for "default", I think we should list it as "safe". pop3-capabilities.nse:categories = {"default","discovery"} This seems safe. pptp-version.nse:categories = {"version"} I'd treat this the same was as iax2-version (leave it alone unless someone suggests adding more categories to the version detection scripts). realvnc-auth-bypass.nse:categories = {"default", "vuln"} I'd make it "safe". It is reasonably straightforward, and is in the default set already. skypev2-version.nse:categories = {"version"} Treat the same as the other version detection scripts. smtp-open-relay.nse:categories = {"demo"} This one should be left out of any other categories until it can be fixed up. smtp-strangeport.nse:categories = {"malware"} This one is certainly safe--it just processes information Nmap already has. sniffer-detect.nse:categories = {"discovery"} This technique is neat but a bit dodgy. I'd leave it out of safe for now. After these changes are made, I'd suggest removing the "intrusive" category from all scripts which have it (the idea is that any scripts which aren't safe are intrusive), updating the docs accordingly, and then also updating the docs to note that we generally only put "safe" scripts in the default category. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Safe and Intrusive Category confusion Patrick Donnelly (Sep 18)
- Re: Safe and Intrusive Category confusion Ron (Sep 18)
- Re: Safe and Intrusive Category confusion David Fifield (Sep 22)
- Re: Safe and Intrusive Category confusion Ron (Sep 22)
- Re: Safe and Intrusive Category confusion Kris Katterjohn (Sep 22)
- Re: Safe and Intrusive Category confusion David Fifield (Sep 22)
- Re: Safe and Intrusive Category confusion Kris Katterjohn (Sep 22)
- Re: Safe and Intrusive Category confusion Fyodor (Sep 23)
- Re: Safe and Intrusive Category confusion David Fifield (Sep 27)
- Re: Safe and Intrusive Category confusion Patrick Donnelly (Sep 28)
- Re: Safe and Intrusive Category confusion Fyodor (Sep 28)
- Re: Safe and Intrusive Category confusion David Fifield (Sep 30)