Nmap Development mailing list archives

Re: Script suggestions

From: Martin Holst Swende <martin () swende se>
Date: Sun, 27 Nov 2011 23:24:33 +0100

On 11/27/2011 11:15 PM, Duarte Silva wrote:

Hi Martin, 

I was tinkering in the case where I don't want to run any script from the 
start. I just want to get some suggestions to what could be executed. As an 
example:

nmap -sS -sV -n -v -pT:http nmap.scanme.org --scriptsuggest "vuln and exploit"
(...)
PORT     STATE  SERVICE VERSION
80/tcp   open   http    Apache httpd 2.2.14 ((Ubuntu))
| script-suggest:
|     http-awstatstotals-exec {vuln,intrusive,exploit}
|     http-axis2-dir-traversal {vuln,intrusive,exploit}
|     http-enum {discovery,intrusive,vuln}
|     http-litespeed-sourcecode-download {vuln,intrusive,exploit}
|     http-majordomo2-dir-traversal {intrusive,vuln,exploit}
|     http-passwd {intrusive,vuln}
|     http-trace {vuln,discovery,safe}
|     http-vmware-path-vuln {vuln,safe}
|     http-vuln-cve2011-3192 {vuln,safe}
|     http-wordpress-enum {auth,intrusive,vuln}
|_    sql-injection {intrusive,vuln}

And then, based on the suggestions limited by vuln and exploit categories I 
would run the script that I  wanted.

This is in a simple manner decoupling the scriptsuggest option from the script 
option. In a way that you can still limit the results returned by the 
suggestions but without running any scripts.


Yes, it may be good to have. I guess it is not possible to have optional
arguments though (can't think of any other, and I assume it would mess
with the parser). I think it'd have to be implemented as two separate
options:

-scS (no arguments)
--script-suggest (same arguments as --script)

I guess I could reuse all the arguments-logic for --script, but it will
require a bit more refactoring of nse_main. Patch cometh.
/Martin

Regards,
Duarte Silva

On Sunday 27 November 2011 21:44:51 Martin Holst Swende wrote:

On 11/25/2011 11:26 PM, Duarte Silva wrote:

Hi Martin,

good idea! It would also be cool if we could limit the suggestions given
with a category filter.

Regards,
Duarte Silva

Yeah, I've been thinking about that, but I can't really see a very
strong usecase. I mean, you'd probably want to use it to be able to
filter out the
common ones- but if you normally run the scan with them, they are
automatically filtered anyway. As in:
nmap --script "default and safe"** --scriptsuggest <target>

is already semantically the same as

nmap --script "default and safe" --scriptsuggest "not (default and safe)"

So I'm not sure if more category filters will bring much more. But if
you have a good use-case, I'd be glad to add it aswell.
Regards,
Martin Swende

On Friday 25 November 2011 18:46:21 Martin Holst Swende wrote:

----- Ursprungsmeddelande -----

Is it possible to implement this as an nse script? I am not sure if
scripts are able to examine rules defined in other scripts.

No, it's all in nse_main.lua. It's already implemented, but needs some
more polish and c-level support. /Martin

On Fri, Nov 25, 2011 at 1:42 PM, Martin Holst Swende <martin () swende se>

wrote:

Hi all,

There are now almost 300 scripts in NSE, and while that's awesome, it
is very difficult for a user to keep track of which scripts to use
when. I suspect that user who do use NSE often just go with -sC, or a
favourite script or two.

So I've gone back to an idea I had earlier: script-suggest. The
previous incarnation of this became script-help, which is definitely
good to have but does not really solve the problem. The new version of
my idea is that you just run a scan as normal, but append the
--script-suggest directive. What you get is something like this:
nmap scanme.nmap.org --script http-title --script-suggest

[...]

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack

| script-suggest:
|     banner {discovery,safe}
|     ssh-hostkey {safe,default,discovery}
|     ssh2-enum-algos {safe,discovery}
|
|_    sshv1 {default,safe}

80/tcp   open  http       syn-ack

|_http-title: Go ahead and ScanMe!
|
| script-suggest:
|     banner {discovery,safe}
|     citrix-brute-xml {intrusive,auth}
|     citrix-enum-apps-xml {discovery,safe}
|     citrix-enum-servers-xml {discovery,safe}
|     http-affiliate-id {safe,discovery}
|     http-auth {default,auth,safe}
|     http-awstatstotals-exec {vuln,intrusive,exploit}
|     http-axis2-dir-traversal {vuln,intrusive,exploit}
|     http-brute {intrusive,brute}
|     http-cakephp-version {discovery,safe}
|     http-cors {default,discovery,safe}
|     http-date {discovery,safe}
|     http-default-accounts {discovery,auth,safe}
|     http-enum {discovery,intrusive,vuln}
|     http-favicon {default,discovery,safe}
|     http-form-brute {intrusive,brute}
|     http-google-malware {malware,discovery,safe,external}
|     http-headers {discovery,safe}
|     http-iis-webdav-vuln {vuln,intrusive}
|     http-joomla-brute {intrusive,brute}
|     http-litespeed-sourcecode-download {vuln,intrusive,exploit}
|     http-majordomo2-dir-traversal {intrusive,vuln,exploit}
|     http-malware-host {malware,safe}
|     http-method-tamper {safe,auth}
|     http-methods {default,safe}
|     http-passwd {intrusive,vuln}
|     http-php-version {discovery,safe}
|     http-put {discovery,intrusive}
|     http-robots.txt {default,discovery,safe}
|     http-trace {vuln,discovery,safe}
|     http-userdir-enum {auth,intrusive}
|     http-vhosts {discovery,intrusive}
|     http-vmware-path-vuln {vuln,safe}
|     http-vuln-cve2011-3192 {vuln,safe}
|     http-waf-detect {discovery,intrusive}
|     http-wordpress-brute {intrusive,brute}
|     http-wordpress-enum {auth,intrusive,vuln}
|     http-wordpress-plugins {discovery,intrusive}
|
|_    sql-injection {intrusive,vuln}

9929/tcp open  nping-echo syn-ack

| script-suggest:
|     banner {discovery,safe}
|
|_    nping-brute {brute,intrusive}

Some points:
- Script-suggest only suggests portrule-scripts, not pre- or postrule.
- Script-suggest does not suggest scripts which DO run. E.g,
specifying -sC --script-suggest will only give suggestions on
non-default scripts. - Script-suggest loads all not already loaded
scripts into NSE, checks the rules and only suggests the script if
the result was positive.

The output above is a preview, feedback is welcome. There is some work
left to do (I haven't implemented the nmap-option on C-level yet e.g)
so I don't submit a patch yet - just testing the waters. Thoughts?

Regards
Martin Holst Swende


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Script suggestions Martin Holst Swende (Nov 25)
- Re: Script suggestions Toni Ruottu (Nov 25)
  - Re: Script suggestions Martin Holst Swende (Nov 25)
    - Re: Script suggestions Duarte Silva (Nov 25)
    - Re: Script suggestions Martin Holst Swende (Nov 27)
    - Re: Script suggestions Duarte Silva (Nov 27)
    - Re: Script suggestions Martin Holst Swende (Nov 27)
    - Re: Script suggestions Duarte Silva (Nov 27)
    - Re: Script suggestions David Fifield (Nov 27)
    - Re: Script suggestions Duarte Silva (Nov 28)
    - Re: Script suggestions Toni Ruottu (Nov 28)
    - Re: Script suggestions Patrick Donnelly (Dec 04)
    - Re: Script suggestions Djalal Harouni (Dec 04)
    - Re: Script suggestions Martin Holst Swende (Dec 04)
    - Re: Script suggestions Djalal Harouni (Dec 08)
    - Re: Script suggestions Martin Holst Swende (Dec 01)