Re: Script suggestions

[Toni Ruottu <toni.ruottu () iki fi>]

Is it possible to implement this as an nse script? I am not sure if
scripts are able to examine rules defined in other scripts.

On Fri, Nov 25, 2011 at 1:42 PM, Martin Holst Swende <martin () swende se> wrote:
> Hi all,
>
> There are now almost 300 scripts in NSE, and while that's awesome, it is
> very difficult for a user to keep track of which scripts to use when. I
> suspect that user who do use NSE often just go with -sC, or a favourite
> script or two.
>
> So I've gone back to an idea I had earlier: script-suggest. The previous
> incarnation of this became script-help, which is definitely good to have
> but does not really solve the problem. The new version of my idea is
> that you just run a scan as normal, but append the --script-suggest
> directive. What you get is something like this:
> nmap scanme.nmap.org --script http-title --script-suggest
>
> [...]
>
> PORT     STATE SERVICE    REASON
> 22/tcp   open  ssh        syn-ack
> | script-suggest:
> |     banner {discovery,safe}
> |     ssh-hostkey {safe,default,discovery}
> |     ssh2-enum-algos {safe,discovery}
> |_    sshv1 {default,safe}
> 80/tcp   open  http       syn-ack
> |_http-title: Go ahead and ScanMe!
> | script-suggest:
> |     banner {discovery,safe}
> |     citrix-brute-xml {intrusive,auth}
> |     citrix-enum-apps-xml {discovery,safe}
> |     citrix-enum-servers-xml {discovery,safe}
> |     http-affiliate-id {safe,discovery}
> |     http-auth {default,auth,safe}
> |     http-awstatstotals-exec {vuln,intrusive,exploit}
> |     http-axis2-dir-traversal {vuln,intrusive,exploit}
> |     http-brute {intrusive,brute}
> |     http-cakephp-version {discovery,safe}
> |     http-cors {default,discovery,safe}
> |     http-date {discovery,safe}
> |     http-default-accounts {discovery,auth,safe}
> |     http-enum {discovery,intrusive,vuln}
> |     http-favicon {default,discovery,safe}
> |     http-form-brute {intrusive,brute}
> |     http-google-malware {malware,discovery,safe,external}
> |     http-headers {discovery,safe}
> |     http-iis-webdav-vuln {vuln,intrusive}
> |     http-joomla-brute {intrusive,brute}
> |     http-litespeed-sourcecode-download {vuln,intrusive,exploit}
> |     http-majordomo2-dir-traversal {intrusive,vuln,exploit}
> |     http-malware-host {malware,safe}
> |     http-method-tamper {safe,auth}
> |     http-methods {default,safe}
> |     http-passwd {intrusive,vuln}
> |     http-php-version {discovery,safe}
> |     http-put {discovery,intrusive}
> |     http-robots.txt {default,discovery,safe}
> |     http-trace {vuln,discovery,safe}
> |     http-userdir-enum {auth,intrusive}
> |     http-vhosts {discovery,intrusive}
> |     http-vmware-path-vuln {vuln,safe}
> |     http-vuln-cve2011-3192 {vuln,safe}
> |     http-waf-detect {discovery,intrusive}
> |     http-wordpress-brute {intrusive,brute}
> |     http-wordpress-enum {auth,intrusive,vuln}
> |     http-wordpress-plugins {discovery,intrusive}
> |_    sql-injection {intrusive,vuln}
> 9929/tcp open  nping-echo syn-ack
> | script-suggest:
> |     banner {discovery,safe}
> |_    nping-brute {brute,intrusive}
>
>
> Some points:
> - Script-suggest only suggests portrule-scripts, not pre- or postrule.
> - Script-suggest does not suggest scripts which DO run. E.g, specifying
> -sC --script-suggest will only give suggestions on non-default scripts.
> - Script-suggest loads all not already loaded scripts into NSE, checks
> the rules and only suggests the script if the result was positive.
>
> The output above is a preview, feedback is welcome. There is some work
> left to do (I haven't implemented the nmap-option on C-level yet e.g) so
> I don't submit a patch yet - just testing the waters. Thoughts?
>
> Regards
> Martin Holst Swende
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/