Nmap Development mailing list archives
Re: NSE Facilitator
From: doug () hcsw org
Date: Sun, 29 Jul 2007 13:10:34 -0700
Hi Max, This sounds like a really good idea. Especially with the pace of NSE script development, this should save everyone from having to download all of a new Nmap or install SVN just to get the latest and greatest. One thing to consider is when Nmap adds new functionality to NSE (like say, Marek's pcap patch) downloading new scripts that use this functionality will not work. Maybe scripts could optionally have a parameter "Requires at least 4.22 to work"? I notice that you are planning on performing MD5s and SHAs on the scripts. But for any sort of man in the middle attack it would be just as easy to change these sums as well as the script itself. Especially for users who plan on running this script and/or Nmap as a cron job, maybe the program could check to see if GPG is installed and, if so, verify PGP signatures? I think there is already an official Nmap PGP key. Since lua scripts can read/write files, open sockets, etc, all from a process running with root privileges, this could be an effective attack vector (just poison the DNS entry for insecure.org) for when the update script is run. Best, Doug
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- NSE Facilitator Max (Jul 29)
- Re: NSE Facilitator doug (Jul 29)
- Re: NSE Facilitator doug (Jul 29)
- Re: NSE Facilitator Max (Jul 30)
- Re: NSE Facilitator doug (Jul 29)