Nmap Development mailing list archives

Re: Safe and Intrusive Category confusion

From: David Fifield <david () bamsoftware com>
Date: Wed, 30 Sep 2009 20:53:50 -0600

On Mon, Sep 28, 2009 at 09:17:32PM -0700, Fyodor wrote:

On Sun, Sep 27, 2009 at 12:39:52PM -0600, David Fifield wrote:

On Wed, Sep 23, 2009 at 03:28:11AM -0700, Fyodor wrote:

Right now we have 20 scripts which aren't in "safe" or "intrusive".
Does anyone want to go through this list (reading the nsedoc and/or
script source) and add a short comment for each as to whether you
think it should be "safe" or not (and why) and then send the commented
list back to nmap-dev for discussion?


I guess I will kick this off then.  Anyone should feel free to send
comments if you disagree or just want to further discuss certain
scripts.  I'm using the definition from
http://nmap.org/book/nse-usage.html#nse-categories:

  Scripts which weren't designed to crash services, use large amounts
  of network bandwidth or other resources, or exploit security holes
  are categorized as safe. These are less likely to offend remote
  administrators, though (as with all other Nmap features) we cannot
  guarantee that they won't ever cause adverse reactions. Most of
  these perform general network discovery. Examples are ssh-hostkey
  (retrieves an SSH host key) and html-title (grabs the title from a
  web page).

Here are my thoughts about each of the 20 scripts which currently
aren't in either "safe" or "intrusive":


Here's a summary of your list, without the rationales:

== Safe
asn-query.nse
auth-spoof.nse
daytime.nse
dhcp-discover.nse
finger.nse
http-favicon.nse
http-headers.nse
http-malware-host.nse
http-trace.nse
imap-capabilities.nse
irc-info.nse
pop3-capabilities.nse
realvnc-auth-bypass.nse
smtp-strangeport.nse

== Not safe
http-userdir-enum.nse
sniffer-detect.nse

== Version
iax2-version.nse
pptp-version.nse
skypev2-version.nse

== Demo
smtp-open-relay.nse

I with you on the special handling of the version scripts and
smtp-open-relay.nse. I agree with the "not safe" ones too. There are a
couple, as you said, under "Safe" that could go either way, but the list
above looks good to me.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Re: Safe and Intrusive Category confusion, (continued)
- Re: Safe and Intrusive Category confusion Ron (Sep 18)
- Re: Safe and Intrusive Category confusion David Fifield (Sep 22)
  - Re: Safe and Intrusive Category confusion Ron (Sep 22)
  - Re: Safe and Intrusive Category confusion Kris Katterjohn (Sep 22)
    - Re: Safe and Intrusive Category confusion David Fifield (Sep 22)
    - Re: Safe and Intrusive Category confusion Kris Katterjohn (Sep 22)
  - Re: Safe and Intrusive Category confusion Fyodor (Sep 23)
    - Re: Safe and Intrusive Category confusion David Fifield (Sep 27)
    - Re: Safe and Intrusive Category confusion Patrick Donnelly (Sep 28)
    - Re: Safe and Intrusive Category confusion Fyodor (Sep 28)
    - Re: Safe and Intrusive Category confusion David Fifield (Sep 30)