Re: [BUG] Exclusions directive not honored by NSE version detection

[Fyodor <fyodor () insecure org>]

On Sat, May 22, 2010 at 01:37:36PM -0500, Tom Sellers wrote:
> To me it would make sense if ports flagged in Exclude directive were
> excluded from both normal version scanning as well as script version
> scanning.  While I could see an argument for scripts not being
> subject to this due to being able to include better logic, it would
> seem that every script in the Version category would have to keep in
> mind that some ports (which may change in the future) should not be
> scanned unless you really know how to handle them.

I agree that "version" category scripts should not be scanning
excluded ports.  How that should be implemented (e.g. NSE
infrastructure or logic in the scripts/libraries) is debatable.  I
think I favor script/library logic (with Nmap exporting the list of
excluded ports, of course) since we only have 6 "version" scripts, and
other scripts might be interested in which ports are excluded in the
future too.

Another thing we could consider is changing the "excluded ports" to
mean that these ports cannot be WRITTEN to.  That would allow version
detection (and NSE) to connect to TCP ports and do the "Null probe"
where they just listen for a banner.  Our only excluded ports after
all these years are the HP JetDirect printer TCP ports, and I don't
think (but could be wrong) that those cause problems when you just
connect to them.  The issue is that when you send any data, it gets
printed as-is.  What a terrible protocol!

The Exclude directive is an unfortunate hack to get around retarded HP
printers.  I hope one day HP will fix their products and we'll be able
to remove the exclude directive entirely.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/