Re: GSoC 2012 Project - Vulnerability and exploitation specialist

[Aleksandar Nikolic <nikolic.alek () gmail com>]

I've been meaning to ask about that.
I am not sure if that check (check if that is really RDP we are talking to)
is really necessary?
> From the testing for vulnerability point of view, it's not.
Doesn't nmap already fingerprints the port?
And apparently some versions of RDP return different results there.
I'll try to drop that check and test the script and will send you a patch
if it works.


Regards,
Aleksandar


On Thu, Mar 29, 2012 at 1:44 PM, Djalal Harouni <tixxdz () opendz org> wrote:

> On Wed, Mar 28, 2012 at 10:38:00PM -0700, David Fifield wrote:
> > If the script finds a service that is not RDP, it marks it NOT_VULN. Is
> > that the convention in other scripts? It seems like it should simply
> NOT_VULN should only be set if we are sure that it's not vulnerable.
> From the doc:
> "NOT_VULN: The program was confirmed to be not vulnerable."
>
> I've attached a small patch, please David check it (I don't have a test
> machine).
>
>
> Currently the behaviour of vulns.lua library IIRC is:
> If the state is not set correctly then entries will be ignored with a
> debug message.
>
> make_output() will always terminate with:
> return stdnse.format_output(true, output)
> or
> return nil  -- no entries
>
>
> > leave it unset in this case, because we really don't have positive
> > confirmation that the vulnerability is not present. We have roughly the
> > same level of knowledge as if the script had not been run.
> What other scripts do (at least the ones I've written):
>
> local status, err = check_service(ftp_opts = {vuln,...})
> if not status then
>  stdnse.print_debug(1, "%s: %s", SCRIPT_NAME, err)
>  return nil
> end
>
> return report:make_output(ftp_opts.vuln)
> end of script
>
>
> check_service() will return false if it's not the correct service or if
> there was a network error, otherwise it will always return true.
>
>
> check_service() algo:
>
> 1) If it is not the correct service:
>   check_service() will return false
>
>   and later terminate the script with this:
>   if not status then
>      stdnse.print_debug(1, "%s: %s", SCRIPT_NAME, err)
>      return nil
>      -- terminate the script
>   end
>
>
> 2) It's the right service:
>   check_service() check the version or any returned bytes or goto (3)
>
>   vuln.state = vulns.STATE.NOT_VULN
>   or
>   vuln.state = vulns.STATE.LIKELY_VULN
>
>
>   Now it depends on user choice and exploitability of vulnerability or ...
>
>
>   check_service() will return true
>   or
>   continue and force the check and goto (3)
>
>
> 3) Do the final check (or force the final check) and confirm:
>
>   vuln.state = vulns.STATE.NOT_VULN
>   or
>   vuln.state = vulns.STATE.VULN
>   or
>   vuln.state = vulns.STATE.EXPLOIT
>   or
>   vuln.state = vulns.STATE.DoS
>
>   at this point check_service() will return true unless there was a
>   network error ...
>
>
>
> I think that this can be a good standard and it will save time, all my
> scripts do the same (hope they are correct :) )
>
> check ftp-vuln-cve2010-4221.nse ...
>
>
> Thanks.
>
> --
> tixxdz
> http://opendz.org
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/