Re: Script suggestions

[Martin Holst Swende <martin () swende se>]

On 11/28/2011 01:52 AM, David Fifield wrote:
> On Sun, Nov 27, 2011 at 10:34:44PM +0000, Duarte Silva wrote:
> > The script option may be specified without arguments. So if you could take it 
> > as an example I guees it would make your live easier ;)
> --script requires an argument. You may be thinking of -sC (which is
> really the short option -s taking the argument "C" in disguise).
>
> It's possible to have options that take optional arguments, but I don't
> think we should because it works in a suprising way. It requires you to
> use '=' instead of a space after the option.
>
> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


I now have it almost ready. This is the second attempt to send this, the first
mail was rejected (it was a bit too large) .

Below is some sample output. I have some
problems getting the script engine to run if I dont simultaneously use a
real script. The nse_main loads just fine, but it the correct
entry-point does not seem to load (either that, or there is no thread
created for it). Will look into it more, but if anyone has any pointers
that'd be great.

Attached are the modified files, so you can test it
yourselves. I added some stuff to nse_utility which I'm sure could use
an extra pair of eyes. Other than that, the largest modifications are in
nse_main, but most of it comes from me having to break up a function in
order to reuse it for both script- and script-suggest rules.
Oh, and the old force-stuff is in there aswell, though I haven't done
anything more on that. I can provide separate patches later, but as I
said, this is mostly for testing and not commit-ready anyway.

It should work fine with at least r27295.

nmap scanme.nmap.org -p22,80,21,554,9929 --script http-title -sCS -d -v -n

PORT     STATE  SERVICE    REASON
21/tcp   closed ftp        conn-refused
22/tcp   open   ssh        syn-ack
| script-suggest:
|   banner {discovery,safe}
|   ssh-hostkey {safe,default,discovery}
|   ssh2-enum-algos {safe,discovery}
|   sshv1 {default,safe}
|_  unusual-port {safe}
80/tcp   open   http       syn-ack
|_http-title: Go ahead and ScanMe!
| script-suggest:
|   banner {discovery,safe}
|   citrix-brute-xml {intrusive,auth}
|   citrix-enum-apps-xml {discovery,safe}
|   citrix-enum-servers-xml {discovery,safe}
|   http-affiliate-id {safe,discovery}
|   http-auth {default,auth,safe}
|   http-awstatstotals-exec {vuln,intrusive,exploit}
|   http-axis2-dir-traversal {vuln,intrusive,exploit}
|   http-brute {intrusive,brute}
|   http-cakephp-version {discovery,safe}
|   http-cors {default,discovery,safe}
|   http-date {discovery,safe}
|   http-default-accounts {discovery,auth,safe}
|   http-enum {discovery,intrusive,vuln}
|   http-favicon {default,discovery,safe}
|   http-form-brute {intrusive,brute}
|   http-google-malware {malware,discovery,safe,external}
|   http-headers {discovery,safe}
|   http-iis-webdav-vuln {vuln,intrusive}
|   http-joomla-brute {intrusive,brute}
|   http-litespeed-sourcecode-download {vuln,intrusive,exploit}
|   http-majordomo2-dir-traversal {intrusive,vuln,exploit}
|   http-malware-host {malware,safe}
|   http-method-tamper {safe,auth}
|   http-methods {default,safe}
|   http-passwd {intrusive,vuln}
|   http-php-version {discovery,safe}
|   http-put {discovery,intrusive}
|   http-robots.txt {default,discovery,safe}
|   http-trace {vuln,discovery,safe}
|   http-userdir-enum {auth,intrusive}
|   http-vhosts {discovery,intrusive}
|   http-vmware-path-vuln {vuln,safe}
|   http-vuln-cve2011-3192 {vuln,safe}
|   http-vuln-cve2011-3368 {intrusive,vuln}
|   http-waf-detect {discovery,intrusive}
|   http-wordpress-brute {intrusive,brute}
|   http-wordpress-enum {auth,intrusive,vuln}
|   http-wordpress-plugins {discovery,intrusive}
|   sql-injection {intrusive,vuln}
|_  unusual-port {safe}
554/tcp  closed rtsp       conn-refused
9929/tcp open   nping-echo syn-ack
| script-suggest:
|   banner {discovery,safe}
|   nping-brute {brute,intrusive}
|_  unusual-port {safe}

command.go.*.lua=/home/martin/tools/nmap2/nmap scanme.nmap.org
-p22,80,21,554,9929 --script http-title --script-suggest "intrusive or
vuln"-d -v -n

PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
80/tcp   open   http
|_http-title: Go ahead and ScanMe!
| script-suggest:
|   citrix-brute-xml {intrusive,auth}
|   http-awstatstotals-exec {vuln,intrusive,exploit}
|   http-axis2-dir-traversal {vuln,intrusive,exploit}
|   http-brute {intrusive,brute}
|   http-enum {discovery,intrusive,vuln}
|   http-form-brute {intrusive,brute}
|   http-iis-webdav-vuln {vuln,intrusive}
|   http-joomla-brute {intrusive,brute}
|   http-litespeed-sourcecode-download {vuln,intrusive,exploit}
|   http-majordomo2-dir-traversal {intrusive,vuln,exploit}
|   http-passwd {intrusive,vuln}
|   http-put {discovery,intrusive}
|   http-userdir-enum {auth,intrusive}
|   http-vhosts {discovery,intrusive}
|   http-vuln-cve2011-3368 {intrusive,vuln}
|   http-waf-detect {discovery,intrusive}
|   http-wordpress-brute {intrusive,brute}
|   http-wordpress-enum {auth,intrusive,vuln}
|   http-wordpress-plugins {discovery,intrusive}
|_  sql-injection {intrusive,vuln}
554/tcp  closed rtsp
9929/tcp open   nping-echo
| script-suggest:
|_  nping-brute {brute,intrusive}

Attachment: suggest.zip
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/