Nmap Development mailing list archives
Re: Script force
From: Martin Holst Swende <martin () swende se>
Date: Sat, 03 Dec 2011 22:41:47 +0100
Nice work Djalal! On 12/01/2011 11:47 PM, Djalal Harouni wrote:
On Tue, Nov 29, 2011 at 03:11:32PM -0800, David Fifield wrote:I've tested the patch and found it to do what it's supposed to when listing script names by themselves. I also found some funny interaction with the "and", "or", and "not" operators. Specifically, these operators always change force to false, because they do not see the second return value of the m function. But additionally, it's not clear what the correct interaction even is.I've updated the patch, the attached version supports all the following tests.Here are some test cases I tried: script name dport runs? http-title -p22 no +http-title -p22 yes http-title,http-title -p22 no http-title,+http-title -p22 no +http-title,http-title -p22 no +http-title,+http-title -p22 yes http-title or http-title -p22 no http-title or +http-title -p22 no +http-title or http-title -p22 no +http-title or +http-title -p22 noAll of them are supported.
These are my results when testing the patch: nmap scanme.nmap.org -p22 --script +http-title -d2 #NSE: Script http-title.nse was selected by name and forced to run. nmap scanme.nmap.org -p22 --script "http-title,+http-title" -d2 #NSE: Script http-title.nse was selected by name and forced to run.[1] nmap scanme.nmap.org -p22 --script "http-title,+http-*" -d2 #NSE: Script http-title.nse was selected by name.[2] #All other http-* was were forced nmap scanme.nmap.org -p22 --script "+http-title,http-title" -d2 #NSE: Script http-title.nse was selected by name and forced to run. nmap scanme.nmap.org -p22 --script "+http-title,+http-title" -d2 #NSE: Script http-title.nse was selected by name and forced to run. nmap scanme.nmap.org -p22 --script "http-title or http-title" -d2 #NSE: Script http-title.nse was selected by name. nmap scanme.nmap.org -p22 --script "http-title or +http-title" -d2 #NSE: Script http-title.nse was selected by name and forced to run. nmap scanme.nmap.org -p22 --script "+http-title or http-title" -d2 #NSE: Script http-title.nse was selected by name and forced to run. nmap scanme.nmap.org -p22 --script "+http-title or +http-title" -d2 #NSE: Script http-title.nse was selected by name and forced to run. nmap scanme.nmap.org -p22 --script "http-title or +http-*" -d2 #NSE: Script http-title.nse was selected by name. [3] #All other http-* was were forced The only inconsistency I can see is between what I have marked as [1] and [2]&[3] : If I choose "http-title,+http-title", http-title is forced. If I choose "http-title,+http-*" OR "http-title,+http-*", http-title is not forced. I can live with this, but if we want to be nitpicky I'd prefer if "http-title,+http-title" did not force the script.
Also, even supposing that the "or" would retain the force value, what should happen in cases like this? http-title or +http-*This is also supported, http-title will be loaded normally and all the other scripts will be forced as suggested by Martin. "http-title or +http-*": Debug messages: Fetchfile found /mnt/opensource/code/nmap/nmap-trunk/scripts/http-robtex-reverse-ip.nse NSE: Script http-robtex-reverse-ip.nse was selected by name and forced to run. Fetchfile found /mnt/opensource/code/nmap/nmap-trunk/scripts/http-title.nse NSE: Script http-title.nse was selected by name. Fetchfile found /mnt/opensource/code/nmap/nmap-trunk/scripts/http-trace.nse NSE: Script http-trace.nse was selected by name and forced to run. ...Should http-title be forced in this case? It seems like it would not be, because "or" will short-circuit before reading "+http-*".The attached patch takes another path, it will save all the forced patterns in a special map, later we just check this table to see if the current pattern is present or not, if it is then we force the script. This way we avoid complex operations like: check if the script was previously loaded and if it was forced or not: "http-title,+http-title". The selection operation of "http-title or +http-*" will be: 1) check the forced flag: forced_rules["http-*"] = true 2) check the rules and load scripts: "http-title or +http-*" will short-circiut only for http-title, then we check 'forced_rules["http-title"] == nil' => do not force. For other scripts 'forced_rules["http-*"] = true' the force flag will be set. Note: the pattern (e.g. "http-*") is checked first then it is cleaned (escaped) to match script names. 3) Only a one instance of scripts is loaded, so http-title will not be forced.I also tried +(default or vuln) I didn't really expect it to work. This was the output: NSE: failed to initialize the script engine: [string "rule"]:1: attempt to call a boolean valueWe can also support this but it will need more regexp checks, perhaps we should just let users specify "+default or +vuln" as suggested by Fyodor. I'll try to have a look at this error.
Currently, there is an error since the globalized_rule is created on the "+(default or vuln)" string instead of "(default or vuln)". If the force-check/removal is moved up, it does not crash (but has no effect - force is not used) What happens currently is that the substring in globalize becomes empty, since gsub will cut the input at first "(". This is the result: m("")(m("default") or m("vuln")) So either we can fix it or we can add an error message if the substring returned by is_forced_set is empty...? Fixing it involves making the force-flag somehow being injected into the script names correctly according to boolean math ... something which so far cleverly has been handed over to the lua-engine instead. Regards, Martin
I'm starting to think that it shouldn't be allowed to mix + with boolean operators. In other words, only allow one script name or category name between commas when a + is present. Otherwise show an error message. Does this sound possible to implement? Do you have any other ideas?I think that we can support the boolean operators, but I'm not sure, perhaps I've missed some use cases, more tests are welcome. Thanks.
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Script force, (continued)
- Re: Script force Djalal Harouni (Nov 15)
- Re: Script force Martin Holst Swende (Nov 16)
- Re: Script force Martin Holst Swende (Nov 16)
- Re: Script force Duarte Silva (Nov 16)
- Re: Script force Djalal Harouni (Nov 19)
- Re: Script force Martin Holst Swende (Nov 19)
- Re: Script force David Fifield (Nov 29)
- Re: Script force Martin Holst Swende (Nov 30)
- Re: Script force Fyodor (Nov 30)
- Re: Script force Djalal Harouni (Dec 01)
- Re: Script force Martin Holst Swende (Dec 03)
- Re: Script force Patrick Donnelly (Dec 04)
- Re: Script force - Named probes Djalal Harouni (Dec 04)
- Re: Script force - Named probes Martin Holst Swende (Dec 04)
- Re: Script force - Named probes Djalal Harouni (Dec 04)
- Re: Script force Martin Holst Swende (Nov 16)
- Re: Script force - Named probes Patrick Donnelly (Dec 15)
- Re: Script force - Named probes Martin Holst Swende (Dec 16)
- Re: Script force - Named probes Djalal Harouni (Dec 18)
- Re: Script force Djalal Harouni (Nov 15)
- Re: Script force Martin Holst Swende (Dec 07)
- Re: Script force Patrick Donnelly (Dec 07)
- Re: Script force Martin Holst Swende (Dec 07)