Nmap Development mailing list archives

Re: Safe and Intrusive Category confusion

From: Fyodor <fyodor () insecure org>
Date: Mon, 28 Sep 2009 21:17:32 -0700

On Sun, Sep 27, 2009 at 12:39:52PM -0600, David Fifield wrote:

On Wed, Sep 23, 2009 at 03:28:11AM -0700, Fyodor wrote:

Right now we have 20 scripts which aren't in "safe" or "intrusive".
Does anyone want to go through this list (reading the nsedoc and/or
script source) and add a short comment for each as to whether you
think it should be "safe" or not (and why) and then send the commented
list back to nmap-dev for discussion?


I guess I will kick this off then.  Anyone should feel free to send
comments if you disagree or just want to further discuss certain
scripts.  I'm using the definition from
http://nmap.org/book/nse-usage.html#nse-categories:

  Scripts which weren't designed to crash services, use large amounts
  of network bandwidth or other resources, or exploit security holes
  are categorized as safe. These are less likely to offend remote
  administrators, though (as with all other Nmap features) we cannot
  guarantee that they won't ever cause adverse reactions. Most of
  these perform general network discovery. Examples are ssh-hostkey
  (retrieves an SSH host key) and html-title (grabs the title from a
  web page).

Here are my thoughts about each of the 20 scripts which currently
aren't in either "safe" or "intrusive":

asn-query.nse:categories = {"discovery", "external"}
  I think this one should be safe.  It is an external, but that is a
  different issue and already reflected in the "external"
  categorization.

auth-spoof.nse:categories = {"malware"}
  This is safe.  It just connects to an identd server and reads for a
  reply.

daytime.nse:categories = {"discovery"}
  This should be safe.  It uses a simple UDP service as intended.

dhcp-discover.nse:categories = {"default", "discovery"}
  I tend to feel like we should only have "safe" scripts run by
  default.  So we either have to put this in the "safe" category, or
  remove it from "default".  I'm on the fence with this one, but I
  think I very slightly prefer considering it "safe" since it is
  unlikely to cause any major problems and we haven't heard complaints
  about it and the information it provides is very usefu.

finger.nse:categories = {"default", "discovery"}
  I'd add this to "safe" since we've had it "default" for a long time
  and never heard any complaints.

http-favicon.nse:categories = {"default", "discovery"}
  I'd say this is safe, and being in the default category reflects
  that.

http-headers.nse:categories = {"discovery"}
  This one is safe - just makes a normal request.

http-malware-host.nse:categories = {"malware"}
  This one is safe too, just looks for a 302 response to a request for
  /ts/in.cgi?open2.

http-trace.nse:categories = {"discovery"}
  I'd say this is safe--it just sends an HTTP TRACE command and shows
  the header fields which were modified in the response.

http-userdir-enum.nse:categories = {"discovery"}
  Right now we only have 10 entries in usernames.lst, so this is not
  too intrusive.  But I expect that we'll increase the size of
  usernames.lst, so I suggest leaving this out of safe for now, just
  as we've left it out of default. 

iax2-version.nse:categories = {"version"}
  This script is generally only run as part of version detection, so
  I'm not sure there if there is any value in labelling it with the
  "safe" category as well.  So I suggest leaving it as is unless
  someone expresses a desire to have it in "safe".

imap-capabilities.nse:categories = {"default"}
  This seems safe enough.

irc-info.nse:categories = {"default", "discovery"}
  This one is on the edge, but since we decided it is safe enough for
  "default", I think we should list it as "safe".

pop3-capabilities.nse:categories = {"default","discovery"}
  This seems safe.

pptp-version.nse:categories = {"version"}
  I'd treat this the same was as iax2-version (leave it alone unless
  someone suggests adding more categories to the version detection scripts).
 
realvnc-auth-bypass.nse:categories = {"default", "vuln"}
  I'd make it "safe".  It is reasonably straightforward, and is in the
  default set already.

skypev2-version.nse:categories = {"version"}
  Treat the same as the other version detection scripts.

smtp-open-relay.nse:categories = {"demo"}
  This one should be left out of any other categories until it can be
  fixed up.

smtp-strangeport.nse:categories = {"malware"}
  This one is certainly safe--it just processes information Nmap
  already has.

sniffer-detect.nse:categories = {"discovery"}
  This technique is neat but a bit dodgy.  I'd leave it out of safe
  for now.

After these changes are made, I'd suggest removing the "intrusive"
category from all scripts which have it (the idea is that any scripts
which aren't safe are intrusive), updating the docs accordingly, and
then also updating the docs to note that we generally only put "safe"
scripts in the default category.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Safe and Intrusive Category confusion Patrick Donnelly (Sep 18)
- Re: Safe and Intrusive Category confusion Ron (Sep 18)
- Re: Safe and Intrusive Category confusion David Fifield (Sep 22)
  - Re: Safe and Intrusive Category confusion Ron (Sep 22)
  - Re: Safe and Intrusive Category confusion Kris Katterjohn (Sep 22)
    - Re: Safe and Intrusive Category confusion David Fifield (Sep 22)
    - Re: Safe and Intrusive Category confusion Kris Katterjohn (Sep 22)
  - Re: Safe and Intrusive Category confusion Fyodor (Sep 23)
    - Re: Safe and Intrusive Category confusion David Fifield (Sep 27)
    - Re: Safe and Intrusive Category confusion Patrick Donnelly (Sep 28)
    - Re: Safe and Intrusive Category confusion Fyodor (Sep 28)
    - Re: Safe and Intrusive Category confusion David Fifield (Sep 30)