Re: NSE Facilitator

[doug () hcsw org]

Hi Max,

This sounds like a really good idea. Especially with the pace
of NSE script development, this should save everyone from having
to download all of a new Nmap or install SVN just to get the
latest and greatest.

One thing to consider is when Nmap adds new functionality to
NSE (like say, Marek's pcap patch) downloading new scripts that
use this functionality will not work. Maybe scripts could
optionally have a parameter "Requires at least 4.22 to
work"?

I notice that you are planning on performing MD5s and SHAs on the
scripts. But for any sort of man in the middle attack it would be
just as easy to change these sums as well as the script itself.
Especially for users who plan on running this script and/or Nmap as
a cron job, maybe the program could check to see if GPG is installed
and, if so, verify PGP signatures? I think there is already an official
Nmap PGP key. Since lua scripts can read/write files, open sockets, etc,
all from a process running with root privileges, this could be an
effective attack vector (just poison the DNS entry for insecure.org)
for when the update script is run.

Best,

Doug

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org