Nmap Development mailing list archives
[NSE] Vulnerability lib article - bug fixes
From: Djalal Harouni <tixxdz () opendz org>
Date: Fri, 18 Jan 2013 01:31:33 +0100
Hi list, There is this nice article written by iphelix which covers the 'vulns' library plus some other Nmap and NSE tricks, check it your self: http://www.thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/#vulnerability-management In the same record iphelix reported a bug in the 'vulns' library, I'm pasting the discussion with the patch. Thanks iphelix for the report.
On Thu, Jan 17, 2013 at 9:12 AM, Djalal Harouni <tixxdz () opendz org> wrote: Hi iphelix, Please see belowOn Fri, Jan 11, 2013 at 01:42:43AM -0800, iphelix wrote: Hi Djalal,[...]I have a quick question regarding the information available to postrule_action function like this one: postrule_action = function() local list = vulns.find(FID, {}) if list then local out = {} for _, vuln_table in ipairs(list) do local state = vulns.STATE_MSG[vuln_table.state] local ip = vuln_table.host.ip local port = vuln_table.port.number table.insert(out, string.format("%s - %d - %s", ip, port,state))end return stdnse.format_output(true, out) end end The above script will show IP:PORT:VULN_STATE for scanned hosts. The issue (or a user error) that I ran into is the case where the vulnerability is present on multiple ports (e.g. ports 80 and 443). It looks like the above script is only reporting on the first instance based on the port output and does not store the second instance on a different port.So thank you for all this explanation!Let's say a vulnerability was found both on ports 80 and 443 So the output would be: Post-scan script results: | vulns-post-process: | IP1 - 80 - VULNERABLE |_ IP2 - 80 - VULNERABLE and not Post-scan script results: | vulns-post-process: | IP1 - 80 - VULNERABLE | IP1 - 443 - VULNERABLE | IP2 - 80 - VULNERABLE |_ IP2 - 443 - VULNERABLE Is this expected based on the data structure inside nmap.registry? Any thoughts on preserving port information?Yes, we were just making the host vulnerable to that entry... and you are right not just about port information, we also need a new vulnerability information since it may differ between ports 80 and 443 ... I've attached a patch, can you please try it, it should handle all the variants, and we make a new entry for each {host_ip/host_name:port_numer}Thanks, -PeterThanks Peter
-- tixxdz http://opendz.org
Attachment:
nmap-nse-vulns.lua.patch
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Vulnerability lib article - bug fixes Djalal Harouni (Jan 17)
- Re: [NSE] Vulnerability lib article - bug fixes Djalal Harouni (Jan 19)
- Re: [NSE] Vulnerability lib article - bug fixes David Fifield (Jan 20)
- Re: [NSE] Vulnerability lib article - bug fixes Djalal Harouni (Jan 19)