Nmap Development mailing list archives

Re: Output|Input pipe and forcing script run

From: David Fifield <david () bamsoftware com>
Date: Sat, 30 Apr 2011 00:53:22 -0700

On Mon, Nov 29, 2010 at 12:02:04AM +0100, Martin Holst Swende wrote:

Hi,

On 10/03/2010 04:48 PM, David Fifield wrote:

On Wed, Sep 29, 2010 at 10:47:37AM +0200, Martin Holst Swende wrote:

Also, a while ago there was a discussion about forcing a script to be
run . That is a feature I would really love. Is anybody working on that?
Fyodor suggested placing the patch in NSE, if that means in "lua-space"
I could implement that if given some hints on where to place it.

First you should try implementing this in the shortport library. Add a
check to each of the functions for the script argument "force":

local force = stdnse.get_script_args("force")

Then try running some scripts with this to see how it works. I think
there will be unexpected surprises when forcing scripts to run with the
large number of ports Nmap scans by default.

The next step is to make it apply to all scripts in nse_main.lua. Try
editing the "main" function in Script:new_thread. That's where the rules
are actually called and can be overridden.

Keep us updated with patches and your progress. I am interested to see
how this works.

A lot of other things have got in the way, but tonight I did a first
stab at it. It was trivial to implement, and you can check it out at the
usual place; at
http://martin.swende.se/hgwebdir.cgi/nsescripts/rev/48ee0f905d68 (<--
NOT tip) you can see the diff from the original. With my patch you can
do e.g.
nmap www.google.com -p80 --script firewalk --script-args=force=1 -d3


I want to reopen discussion about forcing a script to run. I tried this
patch and it works as I expect. The problem I see is that there are easy
ways to accidentally and confusingly use it.

nmap --script-args force -d2 localhost -sC -F

This is going to run every default script against every open port:

NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting 'ms-sql-info' (thread: 0x91cb7d0) against 127.0.0.1.
NSE: Starting 'nbstat' (thread: 0x90dc580) against 127.0.0.1.
NSE: Starting 'p2p-conficker' (thread: 0x909b348) against 127.0.0.1.
NSE: Starting 'smb-os-discovery' (thread: 0x90c17f8) against 127.0.0.1.
NSE: Starting 'smbv2-enabled' (thread: 0x916aee8) against 127.0.0.1.
NSE: Starting 'auth-owners' (thread: 0x91ecad8) against 127.0.0.1:6000.
NSE: Starting 'backorifice-info' (thread: 0x90bf0e8) against 127.0.0.1:6000.
NSE: Starting 'dhcp-discover' (thread: 0x91ea950) against 127.0.0.1:6000.
NSE: Starting 'dns-recursion' (thread: 0x8fd3d40) against 127.0.0.1:6000.
NSE: Starting 'dns-service-discovery' (thread: 0x916c240) against 127.0.0.1:6000.
NSE: Starting 'dns-zone-transfer' (thread: 0x8fba2a8) against 127.0.0.1:6000.
NSE: Starting 'epmd-info' (thread: 0x8fd6288) against 127.0.0.1:6000.
NSE: Starting 'finger' (thread: 0x8fb8648) against 127.0.0.1:6000.
NSE: Starting 'ftp-anon' (thread: 0x9123040) against 127.0.0.1:6000.
NSE: Starting 'ftp-bounce' (thread: 0x91d8110) against 127.0.0.1:6000.
NSE: Starting 'gopher-ls' (thread: 0x8fcd4a8) against 127.0.0.1:6000.
NSE: Starting 'hddtemp-info' (thread: 0x920e1d0) against 127.0.0.1:6000.
NSE: Starting 'http-auth' (thread: 0x8fb83c0) against 127.0.0.1:6000.
NSE: Starting 'http-favicon' (thread: 0x90bfa88) against 127.0.0.1:6000.
NSE: Starting 'http-methods' (thread: 0x9123988) against 127.0.0.1:6000.
NSE: Starting 'http-open-proxy' (thread: 0x90c1390) against 127.0.0.1:6000.
NSE: Starting 'http-robots.txt' (thread: 0x9213b18) against 127.0.0.1:6000.
NSE: Starting 'http-title' (thread: 0x90ef6f8) against 127.0.0.1:6000.
NSE: Starting 'http-vmware-path-vuln' (thread: 0x91f0ca8) against 127.0.0.1:6000.
NSE: Starting 'imap-capabilities' (thread: 0x91ce880) against 127.0.0.1:6000.
NSE: Starting 'irc-info' (thread: 0x91d02c8) against 127.0.0.1:6000.
NSE: Starting 'mongodb-databases' (thread: 0x91c5f68) against 127.0.0.1:6000.
NSE: Starting 'mongodb-info' (thread: 0x91c1ea8) against 127.0.0.1:6000.
NSE: Starting 'mysql-info' (thread: 0x91bb298) against 127.0.0.1:6000.
NSE: Starting 'nat-pmp-info' (thread: 0x91b9a08) against 127.0.0.1:6000.
NSE: Starting 'netbus-info' (thread: 0x913ebc8) against 127.0.0.1:6000.
NSE: Starting 'ntp-info' (thread: 0x90fcd10) against 127.0.0.1:6000.
NSE: Starting 'pop3-capabilities' (thread: 0x90db0c8) against 127.0.0.1:6000.
NSE: Starting 'quake3-master-getservers' (thread: 0x90c6700) against 127.0.0.1:6000.
NSE: Starting 'realvnc-auth-bypass' (thread: 0x9047570) against 127.0.0.1:6000.
NSE: Starting 'rmi-dumpregistry' (thread: 0x9033318) against 127.0.0.1:6000.
NSE: Starting 'rpcinfo' (thread: 0x91f2940) against 127.0.0.1:6000.
NSE: Starting 'servicetags' (thread: 0x91ca4c8) against 127.0.0.1:6000.
NSE: Starting 'smtp-commands' (thread: 0x9168e20) against 127.0.0.1:6000.
NSE: Starting 'snmp-interfaces' (thread: 0x9158670) against 127.0.0.1:6000.
NSE: Starting 'snmp-netstat' (thread: 0x9157710) against 127.0.0.1:6000.
NSE: Starting 'snmp-processes' (thread: 0x91e7d60) against 127.0.0.1:6000.
NSE: Starting 'snmp-sysdescr' (thread: 0x923f990) against 127.0.0.1:6000.
NSE: Starting 'snmp-win32-services' (thread: 0x91c2b40) against 127.0.0.1:6000.
NSE: Starting 'snmp-win32-shares' (thread: 0x91bf2d8) against 127.0.0.1:6000.
NSE: Starting 'snmp-win32-software' (thread: 0x909ba20) against 127.0.0.1:6000.
NSE: Starting 'snmp-win32-users' (thread: 0x917e6f8) against 127.0.0.1:6000.
NSE: Starting 'socks-open-proxy' (thread: 0x9177f38) against 127.0.0.1:6000.
NSE: Starting 'ssh-hostkey' (thread: 0x9156f90) against 127.0.0.1:6000.
NSE: Starting 'sshv1' (thread: 0x9144378) against 127.0.0.1:6000.
NSE: Starting 'sslv2' (thread: 0x9237d40) against 127.0.0.1:6000.
NSE: Starting 'upnp-info' (thread: 0x913a048) against 127.0.0.1:6000.
NSE: Starting 'wdb-version' (thread: 0x91034b8) against 127.0.0.1:6000.
NSE: Starting 'wsdd-discover' (thread: 0x90cb6d0) against 127.0.0.1:6000.
NSE: Starting 'x11-access' (thread: 0x90d4e38) against 127.0.0.1:6000.

I think that a global "force" option only makes sense if 1) you are
narrowly targeting a list of ports and 2) you are narrowly limiting the
set of scripts. Can we think of a way to make this work naturally
without strange cases like the above?

My first thought is that you usually only want one or a few scripts to
be forced. So what if we invent a new syntax that allows applying the
force script to one script only? I don't think this is a good syntax,
but it will illustrate what I mean:

nmap www.google.com -p80 --script force:firewalk

This is no more typing in the (expected) case when only one script is
used. It would be possible to run one script forced and one non-forced,
though I don't have a realistic use case for that.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Output|Input pipe and forcing script run David Fifield (Apr 30)
- Re: Output|Input pipe and forcing script run Patrik Karlsson (Apr 30)
- Re: Output|Input pipe and forcing script run Ron (Jun 15)
  - Re: Output|Input pipe and forcing script run Hani Benhabiles (Jun 15)
  - Re: Output|Input pipe and forcing script run Martin Holst Swende (Jun 16)
    - Re: Output|Input pipe and forcing script run Patrik Karlsson (Jun 16)
    - Re: Output|Input pipe and forcing script run Gorjan Petrovski (Jun 17)