Nmap Development mailing list archives
Re: Concerning Auxiliary Scripts
From: David Fifield <david () bamsoftware com>
Date: Tue, 27 Apr 2010 09:12:06 -0600
On Tue, Apr 27, 2010 at 08:29:01AM -0400, Patrick Donnelly wrote:
From docs/TODO:o [NSE] Maybe we should create a class of scripts which only run one time per scan, similar to auxiliary modules in Metasploit. We already have script classes which run once per port and once per host. For example, the once-per-scan ("network script"?) class might be useful for broadcast LAN scripts (Ron Bowes, who suggested this (http://seclists.org/nmap-dev/2010/q1/883) offered to write a NetBIOS and DHCP broadcast script). Another idea would be an AS to IP ranges script, as discussed in this thread http://seclists.org/nmap-dev/2010/q2/101 [Could be a good SoC infrastructure project] o David notes: "I regret saying this before I say it, because I'm imagining implementation difficulties, we should think about having such auxiliary scripts be able to do things like host discovery, and then let the following phases work on the list it discovers." I'm thinking this should be a new scan type. Unless I'm mistaken, Nmap has never added hosts to the scan that weren't explicitly enumerated in some way on the command line. It would be appropriate for the user to give Nmap "permission" to find hosts and then do further scanning as if those hosts were given on the command line. Thoughts? As far as NSE is concerned, just like Version Detection runs the script engine with a "special" category ("version"), our new scan type would also run NSE. We can assign some arbitrary category to these "auxiliary" scripts. When NSE is in this host exploration/discovery mode, it doesn't bother with running hostrule/portrules and only runs scripts in that "auxiliary" category. Or for generality's sake, we can just have a single "fabricated" host for this scan type and all auxiliary scripts have a hostrule that always* returns true.
There are two things going on in the TODO above, as I understand it. The first is a third type of script to go along with hostrule and portrule, call it auxrule. (I think using a new rule type is better than making a category for these scripts, because it fits in with the pattern: portrule runs once per port, hostrule runs once per host, and auxrule runs once per script scan.) The auxrule scripts aren't necessarily related to host discovery. Like, I can imagine an auxrule script that wants to run after all other scripts during normal script scanning, one that collects in one table all the username/password credentials found by the other scripts. The second thing in the TODO is the possibility of starting up and tearing down the script engine more than once during a scan, in different "modes." This is the particular implementation difficulty I was thinking of. So you might start up NSE in "host discovery mode" just before or after normal host discovery, and then start it up again after port scanning for normal script scanning. Host discovery scripts would have to be marked somehow as being both auxrule scripts (because they don't run against a particular host or port) and also that they want to run in "host discovery mode" (this could be a category). Potentially we would want NSE analogs for other phases besides host discovery, but I didn't have any in mind. I think the first issue, auxrule scripts, is probably pretty easy and can be done independently from the host discovery idea. The second issue is not necessarily difficult, but needs some discussion on how exactly it will work. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Concerning Auxiliary Scripts Patrick Donnelly (Apr 27)
- Re: Concerning Auxiliary Scripts David Fifield (Apr 27)