Nmap Development mailing list archives
Re: GSoC: NSE script developer
From: David Fifield <david () bamsoftware com>
Date: Tue, 22 Mar 2011 18:00:33 -0700
On Tue, Mar 22, 2011 at 12:40:54PM +0100, Hani Benhabiles wrote:
Hello, I'm Hani "kroosec" Benhabiles, a student from Algeria. I'm interested by the NSE—Script Developer position and I would like to apply for the web scanning specialist one as it's where I see myself shining the most (I was planning to work on w3af and began studying the code but they didn't get accepted for GSoC.)
Hi Hani! Thanks for introducing yourself. Here are good general links about Nmap in the Summer of Code: http://www.google-melange.com/gsoc/org/home/google/gsoc2011/nmap http://nmap.org/soc/ http://nmap.org/soc/GeneralRequirements.html http://nmap.org/soc/apply.html
I do have some questions/remarks however: - How should I approach Nmap web scanning ? Will I've to focus on a certain area ? like Information gathering (seems the most logical to me), Vulnerability discovery or exploiting vulnerabilities.
We're looking to add a large number of scripts to increase Nmap's web scanning abilities. Web scanning is such a big topic that I'm sure you can find plenty of variety within it.
- How will the scripts to be written be chosen ? Will it be the mentor who chooses them, community feedback, defined lists (like working on OWASP's Top 10 for vulnerability discovery) or will I be free to choose what I work on (and justify it of course.)
You and your mentor will work together with the members of the mailing list to decide what scripts to write. In your proposal, though, you should have a few specific ideas of scripts that you will write. One of the thinkgs we're looking for is the ability to come up with creative new ideas.
- How will the script developers collaborate ? Will they have the same mentor who will be in charge of workload balancing or will they directly do it. I would enjoy working with other students on other specialties.
In years past we have had weekly IRC meetings among the NSE students and other interested developers. You raise a good point about NSE students working together.
- I do have some issues defining the time line for this project. Should I base it on the number of scripts and libraries written or will it be something else ?
You're right, that's hard to define. Number of scripts is a reasonable metric. Of course everyone understands that some scripts are harder to write than others. I think this year we are focusing more on new capabilities rather than core infrastructure code.
While studying the NSE internals, I've written a simple script that grabs Google Analytics and Adsense IDs of a website. These could be used to further find websites with the same owner. I would be glad if they are added to NSE scripts or at least if I'm given some input and tips on anything that I've overlooked or I could improve.
I'm going to let replies about the script go in a separate thread. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- GSoC: NSE script developer Hani Benhabiles (Mar 22)
- Re: GSoC: NSE script developer David Fifield (Mar 22)