Nmap Development mailing list archives

Re: Script force

From: Martin Holst Swende <martin () swende se>
Date: Sat, 03 Dec 2011 22:41:47 +0100

Nice work Djalal!

On 12/01/2011 11:47 PM, Djalal Harouni wrote:

On Tue, Nov 29, 2011 at 03:11:32PM -0800, David Fifield wrote:

I've tested the patch and found it to do what it's supposed to when
listing script names by themselves. I also found some funny interaction
with the "and", "or", and "not" operators. Specifically, these operators
always change force to false, because they do not see the second return
value of the m function. But additionally, it's not clear what the
correct interaction even is.

I've updated the patch, the attached version supports all the following
tests.

Here are some test cases I tried:

script name                  dport   runs?
http-title                   -p22            no
+http-title                  -p22    yes
http-title,http-title                -p22            no
http-title,+http-title               -p22            no
+http-title,http-title               -p22            no
+http-title,+http-title              -p22    yes
http-title or http-title     -p22            no
http-title or +http-title    -p22            no
+http-title or http-title    -p22            no
+http-title or +http-title   -p22            no

All of them are supported.

These are my results when testing the patch:
nmap scanme.nmap.org -p22 --script +http-title -d2
#NSE: Script http-title.nse was selected by name and forced to run.
nmap scanme.nmap.org -p22 --script "http-title,+http-title" -d2
#NSE: Script http-title.nse was selected by name and forced to run.[1]
nmap scanme.nmap.org -p22 --script "http-title,+http-*" -d2
#NSE: Script http-title.nse was selected by name.[2]
#All other http-* was were forced
nmap scanme.nmap.org -p22 --script "+http-title,http-title" -d2
#NSE: Script http-title.nse was selected by name and forced to run.
nmap scanme.nmap.org -p22 --script "+http-title,+http-title" -d2
#NSE: Script http-title.nse was selected by name and forced to run.
nmap scanme.nmap.org -p22 --script "http-title or http-title" -d2
#NSE: Script http-title.nse was selected by name.
nmap scanme.nmap.org -p22 --script "http-title or +http-title" -d2
#NSE: Script http-title.nse was selected by name and forced to run.
nmap scanme.nmap.org -p22 --script "+http-title or http-title" -d2
#NSE: Script http-title.nse was selected by name and forced to run.
nmap scanme.nmap.org -p22 --script "+http-title or +http-title" -d2
#NSE: Script http-title.nse was selected by name and forced to run.
nmap scanme.nmap.org -p22 --script "http-title or +http-*" -d2
#NSE: Script http-title.nse was selected by name. [3]
#All other http-* was were forced

The only inconsistency I can see is between what I have marked as [1]
and [2]&[3] :
If I choose "http-title,+http-title", http-title is forced.
If I choose "http-title,+http-*" OR "http-title,+http-*", http-title is
not forced.

I can live with this, but if we want to be nitpicky I'd prefer if
"http-title,+http-title" did not force the script.

Also, even supposing that the "or" would retain the force value, what
should happen in cases like this?
     http-title or +http-*

This is also supported, http-title will be loaded normally and all the
other scripts will be forced as suggested by Martin.

"http-title or +http-*":
Debug messages:
Fetchfile found /mnt/opensource/code/nmap/nmap-trunk/scripts/http-robtex-reverse-ip.nse
NSE: Script http-robtex-reverse-ip.nse was selected by name and forced to run.
Fetchfile found /mnt/opensource/code/nmap/nmap-trunk/scripts/http-title.nse
NSE: Script http-title.nse was selected by name.
Fetchfile found /mnt/opensource/code/nmap/nmap-trunk/scripts/http-trace.nse
NSE: Script http-trace.nse was selected by name and forced to run.
...

Should http-title be forced in this case? It seems like it would not be,
because "or" will short-circuit before reading "+http-*".

The attached patch takes another path, it will save all the forced
patterns in a special map, later we just check this table to see if the
current pattern is present or not, if it is then we force the script.

This way we avoid complex operations like: check if the script was
previously loaded and if it was forced or not: "http-title,+http-title".


The selection operation of "http-title or +http-*" will be:

1) check the forced flag:
   forced_rules["http-*"] = true

2) check the rules and load scripts:
   "http-title or +http-*" will short-circiut only for http-title, then
   we check 'forced_rules["http-title"] == nil' => do not force.

   For other scripts 'forced_rules["http-*"] = true' the force flag will
   be set.

   Note: the pattern (e.g. "http-*") is checked first then it is cleaned
   (escaped) to match script names.

3) Only a one instance of scripts is loaded, so http-title will not be
   forced.

I also tried
     +(default or vuln)
I didn't really expect it to work. This was the output:
     NSE: failed to initialize the script engine:
     [string "rule"]:1: attempt to call a boolean value

We can also support this but it will need more regexp checks, perhaps we
should just let users specify "+default or +vuln" as suggested by
Fyodor.

I'll try to have a look at this error.


Currently, there is an error since the globalized_rule is created on the
"+(default or vuln)" string instead of "(default or vuln)".
If the force-check/removal is moved up, it does not crash (but has no
effect - force is not used)
What happens currently is that the substring in globalize becomes empty,
since gsub will cut the input at first "(". This is the result:

m("")(m("default") or m("vuln"))

So either we can fix it or we can add an error message if the substring
returned by is_forced_set
is empty...? Fixing it involves making the force-flag somehow being
injected into the script names correctly according to boolean
math ... something which so far cleverly has been handed over to the
lua-engine instead.


Regards,
Martin

I'm starting to think that it shouldn't be allowed to mix + with boolean
operators. In other words, only allow one script name or category name
between commas when a + is present. Otherwise show an error message.
Does this sound possible to implement? Do you have any other ideas?

I think that we can support the boolean operators, but I'm not sure,
perhaps I've missed some use cases, more tests are welcome.

Thanks.


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Script force, (continued)
- Re: Script force Djalal Harouni (Nov 15)
  - Re: Script force Martin Holst Swende (Nov 16)
    - Re: Script force Martin Holst Swende (Nov 16)
    - Re: Script force Duarte Silva (Nov 16)
    - Re: Script force Djalal Harouni (Nov 19)
    - Re: Script force Martin Holst Swende (Nov 19)
    - Re: Script force David Fifield (Nov 29)
    - Re: Script force Martin Holst Swende (Nov 30)
    - Re: Script force Fyodor (Nov 30)
    - Re: Script force Djalal Harouni (Dec 01)
    - Re: Script force Martin Holst Swende (Dec 03)
    - Re: Script force Patrick Donnelly (Dec 04)
    - Re: Script force - Named probes Djalal Harouni (Dec 04)
    - Re: Script force - Named probes Martin Holst Swende (Dec 04)
    - Re: Script force - Named probes Djalal Harouni (Dec 04)
    - Re: Script force - Named probes Patrick Donnelly (Dec 15)
    - Re: Script force - Named probes Martin Holst Swende (Dec 16)
    - Re: Script force - Named probes Djalal Harouni (Dec 18)
    - Re: Script force Martin Holst Swende (Dec 07)
    - Re: Script force Patrick Donnelly (Dec 07)
    - Re: Script force Martin Holst Swende (Dec 07)

(Thread continues...)