Re: Output|Input pipe and forcing script run

[Martin Holst Swende <martin () swende se>]

Hi,

On 10/03/2010 04:48 PM, David Fifield wrote:
> On Wed, Sep 29, 2010 at 10:47:37AM +0200, Martin Holst Swende wrote:
> > Also, a while ago there was a discussion about forcing a script to be
> > run . That is a feature I would really love. Is anybody working on that?
> > Fyodor suggested placing the patch in NSE, if that means in "lua-space"
> > I could implement that if given some hints on where to place it.
> First you should try implementing this in the shortport library. Add a
> check to each of the functions for the script argument "force":
>
> local force = stdnse.get_script_args("force")
>
> Then try running some scripts with this to see how it works. I think
> there will be unexpected surprises when forcing scripts to run with the
> large number of ports Nmap scans by default.
>
> The next step is to make it apply to all scripts in nse_main.lua. Try
> editing the "main" function in Script:new_thread. That's where the rules
> are actually called and can be overridden.
>
> Keep us updated with patches and your progress. I am interested to see
> how this works.
A lot of other things have got in the way, but tonight I did a first
stab at it. It was trivial to implement, and you can check it out at the
usual place; at
http://martin.swende.se/hgwebdir.cgi/nsescripts/rev/48ee0f905d68 (<--
NOT tip) you can see the diff from the original. With my patch you can
do e.g.
nmap www.google.com -p80 --script firewalk --script-args=force=1 -d3

Something more meaningful might be if you know that someone is running a
service on an uncommon port, and you dont want to version-scan it just
to run the script (perhaps because the version scan does not even find
it). It can also be used to fuzz the scripts against wrong service types :)

While I was fiddling with nse_main, I added another thing I have been
missing. I often don't really know what scripts are possible to run for
a particular service or port, and I don't always know what they do. So,
I added another script argument: "help". For all the scripts that would
have been run, it instead prints out info about the scripts.
Like so:
www.google.se -p80,443 -sC --script-args help

<snip>
NSE: -----------------------------------------
NSE: -- html-title.nse --
NSE: -- Categories: default,discovery,safe
NSE: -- Shows the title of the default page of a web server.

The script will follow no more than one HTTP redirect, and only if the
redirection leads to the same host. The script may send a DNS query to
determine whether the host the redirect leads to has the same IP address
as the
original target.

NSE: -----------------------------------------
NSE: -- http-auth.nse --
NSE: -- Categories: default,auth,intrusive
NSE: -- Retrieves the authentication scheme and realm of a web service
that requires
authentication.

NSE: -----------------------------------------
NSE: -- http-favicon.nse --
NSE: -- Categories: default,discovery,safe
NSE: -- Gets the favicon ("favorites icon") from a web page and matches
it against a
database of the icons of known web applications. If there is a match,
the name
of the application is printed; otherwise the MD5 hash of the icon data is
printed.

If the script argument <code>favicon.uri</code> is given, that relative
URI is
always used to find the favicon. Otherwise, first the page at the root
of the
web server is retrieved and parsed for a <code><link rel="icon"></code>
element. If that fails, the icon is looked for in
<code>/favicon.ico</code>. If
a <code><link></code> favicon points to a different host or port, it is
ignored.

</snip>

The example above uses default script. More interesting is perhaps show
info about all scripts that can be used
against a live host (or port/service):
nmap www.scanme.org --script "*" --script-args help

The above example will show nse documentation for each script that has
been identified as runnable against a
port or service which as been found on the target.

A side-effect the two modificaitons can be combined to show
documentation about all nse-scripts :)
nmap scanme.org -p0 --script "*" --script-args help,force

The force-stuff is at revision 51, and the help is at revision 52 on
http://www.martin.swende.se/hg/nsescripts .
Feedback appreciated!
Regards,
Martin Swende

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/