Nmap Development mailing list archives
Re: Nmap SoC Ideas?
From: Ron <ron () skullsecurity net>
Date: Tue, 16 Mar 2010 07:34:12 -0500
While we're on the subject of cool new features, here's something else I've been thinking about for awhile... o Automatic updater (for scripts/nselib, mainly) There are many times when I find myself writing about how to update a specific script/library when a new vulnerability comes out so people can find it. It'd be far easier for me (and people using Nmap) if there was a script repository that they could easily update. Some ideas are: o Use svn like Metasploit (not sure that would work for Nmap, but svn is nice for updating interpreted stuff) o Use rsync like OpenVAS o Use whatever Nessus does (I have no idea how Nessus does it) o Use rss like podcasts do o Have a repository that users can browse from within Zenmap, possibly using one of the above technologies. Users can check through scripts, and automatically get the 'recommended' scripts (whatever that means). o Allow scripts to be hosted externally by others (and maybe even signed, like Nessus -- maybe optionally?) so people can do nmap --script-update=http://someothersite/scripts. rsync, rss, and other technologies would make that easy, but it becomes a potential security issue. It'd be cool if there could be different sources for scripts, especially for experimental scripts if somebody wants to stay on the bleeding edge (scripts that haven't been added to svn yet and that need testing) -- it'd make it easier for people to try out new scripts and give feedback before they're included. Honestly, I don't think it suits scripts to be held back by Nmap's release cycle. Scripts are almost completely independent of the Nmap core these days, and scripts are often time-sensitive (especially the vulnerability checkers), and scripts have a bit of a different development model (faster turnaround, self contained). The Conficker script really showed the weakness in basing scripts along with actual releases, when we had to do repeated releases just for a script, when in Nessus or MSF it'd be a single command for the user to update. Along with scripts, an auto-updater for data files (mac prefixes, version probes, upcoming udp payloads, etc) would probably benefit users as well. Thoughts? On Sat, 13 Mar 2010 16:10:07 -0800 Fyodor <fyodor () insecure org> wrote:
Hi Folks. It is that time of the year again for the Summer of Code! I filled out the Google application yesterday. Given that Nmap has been accepted for all five previous Summers of Code, chances are that we'll be accepted again. But that is only the very beginning! The most important work right now is identifying the projects we want accomplished this summer. I already have some ideas, which I've posted here: http://nmap.org/soc/ That page has all the details, but here is a summary of the projects: o Nmap Scripting Engine--Script Developer o Nmap Cloud Scanning Platform o Zenmap GUI Developer o Feature Creepers and Bug Wranglers o Nmap and Zenmap on Mobile Devices (iPhone, Android, Maemo, etc.) o Nmap Scripting Engine--Infrastructure manager o Ncrack Developer o Nping Developer Those are all well and good, but I'd love to hear from the community where you would like Nmap to go! This is your chance to specify a feature you've wanted and we may be able to find a college/grad student to get it done! The Summer of Code lasts just under 3 months, but we can usually fit smaller tasks into larger projects (or "feature creeper" appointments), and we have a long history of large projects which take multiple years (Zenmap, NSE). We're even willing to consider separate applications as long as they fit with the rest of the Nmap suite. After all, the latest SVN version of Nmap now offers 5 utilities: Nmap, Zenmap, Ndiff, Ncat, and (alpha version) Nping! Plus we have the (alpha) Ncrack distributed from http://nmap.org/ncrack/. So let's hear your ideas! I also welcome comments on the existing projects listed on the page. Remember that even the best students are only as good (or at least as useful to the project) as the tasks we put them to. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- RE: Nmap SoC Ideas?, (continued)
- RE: Nmap SoC Ideas? Dario Ciccarone (dciccaro) (Mar 15)
- Re: Nmap SoC Ideas? Fyodor (Mar 15)
- Re: Nmap SoC Ideas? Fyodor (Mar 21)
- Re: Nmap SoC Ideas? (progress estimates) David Fifield (Mar 21)
- Re: Nmap SoC Ideas? (progress estimates) Ron (Mar 21)
- Re: Nmap SoC Ideas? Fyodor (Mar 14)
- Re: Nmap SoC Ideas? Kris Katterjohn (Mar 15)
- Re: Nmap SoC Ideas? Michael Pattrick (Mar 15)
- Re: Nmap SoC Ideas? David Fifield (Mar 17)
- Re: Nmap SoC Ideas? Henri Salo (Mar 17)
- Re: Nmap SoC Ideas? liu xiaohui (Mar 17)
- Re: Nmap SoC Ideas? liu xiaohui (Mar 17)
- Re: Nmap SoC Ideas? Ron (Mar 20)
- Re: Nmap SoC Ideas? Rahul Golwalkar (Mar 20)
- Re: Nmap SoC Ideas? Fyodor (Mar 21)
- Re: Nmap SoC Ideas? Fyodor (Mar 20)