Nmap Development mailing list archives
Re: NSE target library
From: Djalal Harouni <tixxdz () opendz org>
Date: Thu, 30 Dec 2010 22:41:52 +0100
On 2010-12-29 19:42:28 +0200, Toni Ruottu wrote:
hello, people I have been doing some experiments with using the target library. I am noticing a trend. Whenever I know the IP of a good target in a script I usually also know a good candidate for the port that the scan should target. For example I wanted to scan quake3 servers for their options, and I figured I'd first query official master servers for actual servers, and then scan the actual servers. The problem is that the actual servers run on whatever high ports, so targeting the ip addresses alone does not find them, and scanning lots of closed ports also consumes lots of time as the servers use udp for communication.
Perhaps adding ports dynamically during an Nmap scan can be achieved in a better manner (not like the add target feature): (This scan be done by NSE scripts) In the script which scans master servers you can push the discovered IPs into the Nmap scan queue and save them in the registry like this: nmap.registry.quake_slaves = {} nmap.registry.quake_slaves[slave_ip] = slave_port or nmap.registry.quake_slaves[slave_ip] = {} nmap.registry.quake_slaves[slave_ip][name] = slave_name nmap.registry.quake_slaves[slave_ip][port] = slave_port ... in other words like the port table. Pls note that we can also save multiple discovered ports here. In the script which scans slaves you can do this: hostrule = function(host) if nmap_registry.quake_slaves[host.ip] then return true end return false end action = function(host) -- your actions, and after you test that the port is really open -- you can set the port state and the version information on a port. end This way in your script for every discovered host you will *only* probe discovered ports for this host (you will not scan ports which belong to other hosts).
Another problem I noticed is that I can not run nmap without providing a target. So when ever I use a script to populate the scan targets I need to add something, say 127.0.0.1 as a starting target. Maybe there should be a way to define an empty target set explicitly.
Well, if your script is using a prerule/postrule then you can run Nmap without targets arguments, but the portrule/hostrule stuff needs targets. If you are doing some host discovery then perhaps you should consider using a prerule, take a look at Patrik's excellent scripts e.g: broadcast-dns-service-discovery.nse -- tixxdz _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE target library Toni Ruottu (Dec 29)
- Re: NSE target library Djalal Harouni (Dec 30)
- Re: NSE target library Toni Ruottu (Dec 31)
- Re: NSE target library Djalal Harouni (Dec 30)