Nmap Development mailing list archives
Re: Script suggestions
From: Duarte Silva <duarte.silva () serializing me>
Date: Sun, 27 Nov 2011 22:34:44 +0000
On Sunday 27 November 2011 22:24:33 Martin Holst Swende wrote:
On 11/27/2011 11:15 PM, Duarte Silva wrote:Hi Martin, I was tinkering in the case where I don't want to run any script from the start. I just want to get some suggestions to what could be executed. As an example: nmap -sS -sV -n -v -pT:http nmap.scanme.org --scriptsuggest "vuln and exploit" (...) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.14 ((Ubuntu)) | script-suggest: | http-awstatstotals-exec {vuln,intrusive,exploit} | http-axis2-dir-traversal {vuln,intrusive,exploit} | http-enum {discovery,intrusive,vuln} | http-litespeed-sourcecode-download {vuln,intrusive,exploit} | http-majordomo2-dir-traversal {intrusive,vuln,exploit} | http-passwd {intrusive,vuln} | http-trace {vuln,discovery,safe} | http-vmware-path-vuln {vuln,safe} | http-vuln-cve2011-3192 {vuln,safe} | http-wordpress-enum {auth,intrusive,vuln} | |_ sql-injection {intrusive,vuln} And then, based on the suggestions limited by vuln and exploit categories I would run the script that I wanted. This is in a simple manner decoupling the scriptsuggest option from the script option. In a way that you can still limit the results returned by the suggestions but without running any scripts.Yes, it may be good to have. I guess it is not possible to have optional arguments though (can't think of any other, and I assume it would mess with the parser). I think it'd have to be implemented as two separate options: -scS (no arguments) --script-suggest (same arguments as --script) I guess I could reuse all the arguments-logic for --script, but it will require a bit more refactoring of nse_main. Patch cometh. /Martin
The script option may be specified without arguments. So if you could take it as an example I guees it would make your live easier ;) Does any one else have more ideas or comments? Before Martin starts "digging" deeper? Regards, Duarte Silva
Regards, Duarte Silva On Sunday 27 November 2011 21:44:51 Martin Holst Swende wrote:On 11/25/2011 11:26 PM, Duarte Silva wrote:Hi Martin, good idea! It would also be cool if we could limit the suggestions given with a category filter. Regards, Duarte SilvaYeah, I've been thinking about that, but I can't really see a very strong usecase. I mean, you'd probably want to use it to be able to filter out the common ones- but if you normally run the scan with them, they are automatically filtered anyway. As in: nmap --script "default and safe"** --scriptsuggest <target> is already semantically the same as nmap --script "default and safe" --scriptsuggest "not (default and safe)" So I'm not sure if more category filters will bring much more. But if you have a good use-case, I'd be glad to add it aswell. Regards, Martin SwendeOn Friday 25 November 2011 18:46:21 Martin Holst Swende wrote:----- Ursprungsmeddelande -----Is it possible to implement this as an nse script? I am not sure if scripts are able to examine rules defined in other scripts.No, it's all in nse_main.lua. It's already implemented, but needs some more polish and c-level support. /MartinOn Fri, Nov 25, 2011 at 1:42 PM, Martin Holst Swende <martin () swende se> wrote:Hi all, There are now almost 300 scripts in NSE, and while that's awesome, it is very difficult for a user to keep track of which scripts to use when. I suspect that user who do use NSE often just go with -sC, or a favourite script or two. So I've gone back to an idea I had earlier: script-suggest. The previous incarnation of this became script-help, which is definitely good to have but does not really solve the problem. The new version of my idea is that you just run a scan as normal, but append the --script-suggest directive. What you get is something like this: nmap scanme.nmap.org --script http-title --script-suggest [...] PORT STATE SERVICE REASON 22/tcp open ssh syn-ack | script-suggest: | banner {discovery,safe} | ssh-hostkey {safe,default,discovery} | ssh2-enum-algos {safe,discovery} | |_ sshv1 {default,safe} 80/tcp open http syn-ack |_http-title: Go ahead and ScanMe! | | script-suggest: | banner {discovery,safe} | citrix-brute-xml {intrusive,auth} | citrix-enum-apps-xml {discovery,safe} | citrix-enum-servers-xml {discovery,safe} | http-affiliate-id {safe,discovery} | http-auth {default,auth,safe} | http-awstatstotals-exec {vuln,intrusive,exploit} | http-axis2-dir-traversal {vuln,intrusive,exploit} | http-brute {intrusive,brute} | http-cakephp-version {discovery,safe} | http-cors {default,discovery,safe} | http-date {discovery,safe} | http-default-accounts {discovery,auth,safe} | http-enum {discovery,intrusive,vuln} | http-favicon {default,discovery,safe} | http-form-brute {intrusive,brute} | http-google-malware {malware,discovery,safe,external} | http-headers {discovery,safe} | http-iis-webdav-vuln {vuln,intrusive} | http-joomla-brute {intrusive,brute} | http-litespeed-sourcecode-download {vuln,intrusive,exploit} | http-majordomo2-dir-traversal {intrusive,vuln,exploit} | http-malware-host {malware,safe} | http-method-tamper {safe,auth} | http-methods {default,safe} | http-passwd {intrusive,vuln} | http-php-version {discovery,safe} | http-put {discovery,intrusive} | http-robots.txt {default,discovery,safe} | http-trace {vuln,discovery,safe} | http-userdir-enum {auth,intrusive} | http-vhosts {discovery,intrusive} | http-vmware-path-vuln {vuln,safe} | http-vuln-cve2011-3192 {vuln,safe} | http-waf-detect {discovery,intrusive} | http-wordpress-brute {intrusive,brute} | http-wordpress-enum {auth,intrusive,vuln} | http-wordpress-plugins {discovery,intrusive} | |_ sql-injection {intrusive,vuln} 9929/tcp open nping-echo syn-ack | script-suggest: | banner {discovery,safe} | |_ nping-brute {brute,intrusive} Some points: - Script-suggest only suggests portrule-scripts, not pre- or postrule. - Script-suggest does not suggest scripts which DO run. E.g, specifying -sC --script-suggest will only give suggestions on non-default scripts. - Script-suggest loads all not already loaded scripts into NSE, checks the rules and only suggests the script if the result was positive. The output above is a preview, feedback is welcome. There is some work left to do (I haven't implemented the nmap-option on C-level yet e.g) so I don't submit a patch yet - just testing the waters. Thoughts? Regards Martin Holst Swende _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Attachment:
smime.p7s
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Script suggestions Martin Holst Swende (Nov 25)
- Re: Script suggestions Toni Ruottu (Nov 25)
- Re: Script suggestions Martin Holst Swende (Nov 25)
- Re: Script suggestions Duarte Silva (Nov 25)
- Re: Script suggestions Martin Holst Swende (Nov 27)
- Re: Script suggestions Duarte Silva (Nov 27)
- Re: Script suggestions Martin Holst Swende (Nov 27)
- Re: Script suggestions Duarte Silva (Nov 27)
- Re: Script suggestions David Fifield (Nov 27)
- Re: Script suggestions Duarte Silva (Nov 28)
- Re: Script suggestions Toni Ruottu (Nov 28)
- Re: Script suggestions Patrick Donnelly (Dec 04)
- Re: Script suggestions Djalal Harouni (Dec 04)
- Re: Script suggestions Martin Holst Swende (Dec 04)
- Re: Script suggestions Djalal Harouni (Dec 08)
- Re: Script suggestions Martin Holst Swende (Nov 25)
- Re: Script suggestions Toni Ruottu (Nov 25)
- Re: Script suggestions Martin Holst Swende (Dec 01)