Nmap Development mailing list archives
Re: Full nmap command line injection in output files
From: Robin Wood <robin@digi.ninja>
Date: Tue, 6 Jan 2015 10:39:58 +0000
On 6 January 2015 at 03:44, Daniel Miller <bonsaiviking () gmail com> wrote:
Olivier, This is a good suggestion, but there is a workaround for the specific case you mentioned: NSE script arguments can be provided in a separate file with the --script-args-file option. This was added in Nmap 5.61TEST5 (March 2012) for keeping credentials off the command line. We are not likely to implement an extra option to remove this information from the output, since Nmap already has a great number of options and editing the file is a good enough solution for many people. I suggest that you update to the latest version of Nmap and use the --script-args-file option. Thanks for your suggestion, and happy hacking!
Another option is to store the creds in a file and then use `cat <filename>` to inject the contents into the command line. You just need to make sure the permissions on the file are set so that they can't be read by users who aren't supposed to. Robin
Dan On Fri, Jan 2, 2015 at 5:23 AM, Olivier Hupond <Olivier.Hupond () agessi fr> wrote:Hi, Using nmap (5.21) to make automatic scans to identify network changes, I would like to mask/remove the injection of the full nmap command line in any output files generated. As the command might use logons informations (in nse scripts args), it is not secure to do so, almost if files are computed by other programs or scripts (or users…). I made some search but couldn’t find any thread about this. I think it’s not possible, and It maight be a good evolution for further verions. Best regards, --- Olivier Hupond AGESSI - Administration et Gestion des Systèmes d'Information Technopôle Brest Iroise / 65 place Nicolas COPERNIC / 29280 PLOUZANÉ Tél : +33 (0)2 98 05 10 00 - Fax +33 (0)2 98 05 12 13 - www.agessi.fr _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Full nmap command line injection in output files Olivier Hupond (Jan 05)
- Re: Full nmap command line injection in output files Daniel Miller (Jan 05)
- Re: Full nmap command line injection in output files Robin Wood (Jan 06)
- Re: Full nmap command line injection in output files Daniel Miller (Jan 05)