Nmap Development mailing list archives

Re: [NSE] Draft - targets-sniffer.nse

From: Patrick Donnelly <batrick () batbytes com>
Date: Tue, 22 Mar 2011 15:53:56 -0400

On Tue, Mar 22, 2011 at 3:17 PM, Toni Ruottu <toni.ruottu () iki fi> wrote:

This thing is cool!

It fails unless you are root, for understandable reasons. Do we have
some kind of policy for scripts that require root?


Well, ideally you would just throw an error in the script if you don't
have root, something like:

if not nmap.is_privileged() then error "i require r00t" end

we could even make that an (empty) module to require:

require "root"

I think in the past we decided it was decided that errors thrown this
way can't be used because it ends up aborting the entire scan. In
earlier versions of NSE, this would actually occur in the middle of a
scan which made it *really* annoying. Now we have NSE loaded at Nmap
startup so this isn't quite as big an issue.

I myself would like to see these types of errors ignored by NSE (as
in, "the script isn't broken, but it can't run for X reason").
Currently, as an example, we have these awkward constructions in
mysql-brute.nse:

-- ripped from ssh-hostkey.nse
-- openssl is required for this script
if not pcall(require,"openssl") then
    portrule = function() return false end
    action = function() end
    stdnse.print_debug( 3, "Skipping %s script because OpenSSL is missing.",
        SCRIPT_NAME)
    return;
end

I think it should be possible to modify (hook) require so that these
types of errors remain silent (except with debugging == 3).

I think there
should be a way for scripts to report this to nmap, and nmap should
probably abort the scan if the user is has request root features while
being nonroot. I am not sure, if this is possible at the moment. I am
not sure I understand the big picture.


We could make it so if a user requests a script "by name" that Nmap
aborts the scan when a required feature is missing, e.g. openssl or
r00t. This is similar to how we increase the verbosity when the script
is specified "by name" on the command line.

-- 
- Patrick Donnelly
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] Draft - targets-sniffer.nse, (continued)
- - - Re: [NSE] Draft - targets-sniffer.nse Nick Nikolaou (Mar 26)
    - Re: [NSE] Draft - targets-sniffer.nse Henri Doreau (Mar 26)
    - Re: [NSE] Draft - targets-sniffer.nse Nick Nikolaou (Mar 28)
    - Re: [NSE] Draft - targets-sniffer.nse Henri Doreau (Mar 28)
    - Re: [NSE] Draft - targets-sniffer.nse Nick Nikolaou (Mar 28)
    - Re: [NSE] Draft - targets-sniffer.nse Djalal Harouni (Mar 29)
    - Re: [NSE] Draft - targets-sniffer.nse Toni Ruottu (Mar 29)
    - Re: [NSE] Draft - targets-sniffer.nse Abuse007 (Mar 30)
- Re: [NSE] Draft - targets-sniffer.nse Toni Ruottu (Mar 22)
  - Re: [NSE] Draft - targets-sniffer.nse Nick Nikolaou (Mar 22)
  - Re: [NSE] Draft - targets-sniffer.nse Patrick Donnelly (Mar 22)