Nmap Development mailing list archives
Re: NSE Facilitator
From: Max <lovelymax () gmail com>
Date: Tue, 31 Jul 2007 00:44:15 +0400
Hi, Doug! Thank you for your response! I don't use any PGP program and this idea wasn't come in my head, so it's look better than simple md5/sha1 checksum controlling, I'll research this direction and implement it. About inserting NSE enumerating I think it isn't handy to maintain separate version number for NSE, it can be source of conflicts and mistakes. My opinion is Nmap version will be enough for this purpose and attach new scripts for actual releases except development versions. The other way can be attaching to some integrated subversion number (like http://subversion.tigris.org/faq.html#version-value-in-source), this can provide automatically generated number to which scripts can attach. I think this is overwork, but it can be discussed. Thank you for your response once again! Maxim PS I sorry for all trying to run SVN version, because I missed to commit one file on weekends and it didn't work. Now it have been fixed. 2007/7/30, doug () hcsw org <doug () hcsw org>:
Hi Max, This sounds like a really good idea. Especially with the pace of NSE script development, this should save everyone from having to download all of a new Nmap or install SVN just to get the latest and greatest. One thing to consider is when Nmap adds new functionality to NSE (like say, Marek's pcap patch) downloading new scripts that use this functionality will not work. Maybe scripts could optionally have a parameter "Requires at least 4.22 to work"? I notice that you are planning on performing MD5s and SHAs on the scripts. But for any sort of man in the middle attack it would be just as easy to change these sums as well as the script itself. Especially for users who plan on running this script and/or Nmap as a cron job, maybe the program could check to see if GPG is installed and, if so, verify PGP signatures? I think there is already an official Nmap PGP key. Since lua scripts can read/write files, open sockets, etc, all from a process running with root privileges, this could be an effective attack vector (just poison the DNS entry for insecure.org) for when the update script is run. Best, Doug -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFGrPQ53LTjmOMguVMRArMxAJ9rnwgkY1vo5PovD87N57X5PuE8xQCgjTeX ZBv/VouMQEfuwUMHPHXysDQ= =kWNF -----END PGP SIGNATURE-----
-- Max _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- NSE Facilitator Max (Jul 29)
- Re: NSE Facilitator doug (Jul 29)
- Re: NSE Facilitator doug (Jul 29)
- Re: NSE Facilitator Max (Jul 30)
- Re: NSE Facilitator doug (Jul 29)