Nmap Development mailing list archives
Script suggestions, take #3
From: Martin Holst Swende <martin () swende se>
Date: Sat, 04 Feb 2012 22:28:34 +0100
Hi list, I have now re-added script-suggest based on the latest head, which had changed quite a bit with the additions of force and script-args-file. I also fixed the issue where the suggestions weren't run if no script was selected. Quite a few files are modified (mostly minor), most work is in nse_main.lua. I had to refactor it a bit in order to first load normal scripts, then load "suggestable" scripts in a second batch, which meant separating the loader into a separate function. Example output: nmap scanme.nmap.org --script-suggest "auth and not vuln" -p80 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-04 22:23 CET Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.19s latency). PORT STATE SERVICE 80/tcp open http | script-suggest: | citrix-brute-xml {intrusive,auth} | http-auth {default,auth,safe} | http-default-accounts {discovery,auth,safe} | http-domino-enum-passwords {intrusive,auth} |_ http-userdir-enum {auth,intrusive} I consider this feature finished, but would like some more eyes on it, especially where I've touched the nse core stuff. Hoping to make this stuff my first commit :) Attached the svn diff. Regards, Martin On 12/02/2011 08:35 AM, Martin Holst Swende wrote:
On 11/28/2011 01:52 AM, David Fifield wrote:On Sun, Nov 27, 2011 at 10:34:44PM +0000, Duarte Silva wrote:The script option may be specified without arguments. So if you could take it as an example I guees it would make your live easier ;)--script requires an argument. You may be thinking of -sC (which is really the short option -s taking the argument "C" in disguise). It's possible to have options that take optional arguments, but I don't think we should because it works in a suprising way. It requires you to use '=' instead of a space after the option. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/I now have it almost ready. This is the second attempt to send this, the first mail was rejected (it was a bit too large) . Below is some sample output. I have some problems getting the script engine to run if I dont simultaneously use a real script. The nse_main loads just fine, but it the correct entry-point does not seem to load (either that, or there is no thread created for it). Will look into it more, but if anyone has any pointers that'd be great. Attached are the modified files, so you can test it yourselves. I added some stuff to nse_utility which I'm sure could use an extra pair of eyes. Other than that, the largest modifications are in nse_main, but most of it comes from me having to break up a function in order to reuse it for both script- and script-suggest rules. Oh, and the old force-stuff is in there aswell, though I haven't done anything more on that. I can provide separate patches later, but as I said, this is mostly for testing and not commit-ready anyway. It should work fine with at least r27295. nmap scanme.nmap.org -p22,80,21,554,9929 --script http-title -sCS -d -v -n PORT STATE SERVICE REASON 21/tcp closed ftp conn-refused 22/tcp open ssh syn-ack | script-suggest: | banner {discovery,safe} | ssh-hostkey {safe,default,discovery} | ssh2-enum-algos {safe,discovery} | sshv1 {default,safe} |_ unusual-port {safe} 80/tcp open http syn-ack |_http-title: Go ahead and ScanMe! | script-suggest: | banner {discovery,safe} | citrix-brute-xml {intrusive,auth} | citrix-enum-apps-xml {discovery,safe} | citrix-enum-servers-xml {discovery,safe} | http-affiliate-id {safe,discovery} | http-auth {default,auth,safe} | http-awstatstotals-exec {vuln,intrusive,exploit} | http-axis2-dir-traversal {vuln,intrusive,exploit} | http-brute {intrusive,brute} | http-cakephp-version {discovery,safe} | http-cors {default,discovery,safe} | http-date {discovery,safe} | http-default-accounts {discovery,auth,safe} | http-enum {discovery,intrusive,vuln} | http-favicon {default,discovery,safe} | http-form-brute {intrusive,brute} | http-google-malware {malware,discovery,safe,external} | http-headers {discovery,safe} | http-iis-webdav-vuln {vuln,intrusive} | http-joomla-brute {intrusive,brute} | http-litespeed-sourcecode-download {vuln,intrusive,exploit} | http-majordomo2-dir-traversal {intrusive,vuln,exploit} | http-malware-host {malware,safe} | http-method-tamper {safe,auth} | http-methods {default,safe} | http-passwd {intrusive,vuln} | http-php-version {discovery,safe} | http-put {discovery,intrusive} | http-robots.txt {default,discovery,safe} | http-trace {vuln,discovery,safe} | http-userdir-enum {auth,intrusive} | http-vhosts {discovery,intrusive} | http-vmware-path-vuln {vuln,safe} | http-vuln-cve2011-3192 {vuln,safe} | http-vuln-cve2011-3368 {intrusive,vuln} | http-waf-detect {discovery,intrusive} | http-wordpress-brute {intrusive,brute} | http-wordpress-enum {auth,intrusive,vuln} | http-wordpress-plugins {discovery,intrusive} | sql-injection {intrusive,vuln} |_ unusual-port {safe} 554/tcp closed rtsp conn-refused 9929/tcp open nping-echo syn-ack | script-suggest: | banner {discovery,safe} | nping-brute {brute,intrusive} |_ unusual-port {safe} command.go.*.lua=/home/martin/tools/nmap2/nmap scanme.nmap.org -p22,80,21,554,9929 --script http-title --script-suggest "intrusive or vuln"-d -v -n PORT STATE SERVICE 21/tcp closed ftp 22/tcp open ssh 80/tcp open http |_http-title: Go ahead and ScanMe! | script-suggest: | citrix-brute-xml {intrusive,auth} | http-awstatstotals-exec {vuln,intrusive,exploit} | http-axis2-dir-traversal {vuln,intrusive,exploit} | http-brute {intrusive,brute} | http-enum {discovery,intrusive,vuln} | http-form-brute {intrusive,brute} | http-iis-webdav-vuln {vuln,intrusive} | http-joomla-brute {intrusive,brute} | http-litespeed-sourcecode-download {vuln,intrusive,exploit} | http-majordomo2-dir-traversal {intrusive,vuln,exploit} | http-passwd {intrusive,vuln} | http-put {discovery,intrusive} | http-userdir-enum {auth,intrusive} | http-vhosts {discovery,intrusive} | http-vuln-cve2011-3368 {intrusive,vuln} | http-waf-detect {discovery,intrusive} | http-wordpress-brute {intrusive,brute} | http-wordpress-enum {auth,intrusive,vuln} | http-wordpress-plugins {discovery,intrusive} |_ sql-injection {intrusive,vuln} 554/tcp closed rtsp 9929/tcp open nping-echo | script-suggest: |_ nping-brute {brute,intrusive} _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Attachment:
svndiff.txt
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Script suggestions, take #3 Martin Holst Swende (Feb 04)
- Re: Script suggestions, take #3 Patrick Donnelly (Feb 06)
- Re: Script suggestions, take #3 Martin Holst Swende (Feb 07)
- Re: Script suggestions, take #3 Patrick Donnelly (Feb 07)
- Suggestion syntax (was:Script suggestions, take #3) Martin Holst Swende (Feb 09)
- Re: Suggestion syntax (was:Script suggestions, take #3) David Fifield (Mar 14)
- Re: Script suggestions, take #3 Martin Holst Swende (Feb 07)
- Re: Script suggestions, take #3 Patrick Donnelly (Feb 06)