Re: NSE Facilitator

[Max <lovelymax () gmail com>]

Hi, Doug!

Thank you for your response!
I don't use any PGP program and this idea wasn't come in my head, so
it's look better than simple md5/sha1 checksum controlling, I'll
research this direction and implement it. About inserting NSE
enumerating I think it isn't handy to maintain separate version number
for NSE, it can be source of conflicts and mistakes. My opinion is
Nmap version will be enough for this purpose and attach new scripts
for actual releases except development versions. The other way can be
attaching to some integrated subversion number (like
http://subversion.tigris.org/faq.html#version-value-in-source), this
can provide automatically generated number to which scripts can
attach. I think this is overwork, but it can be discussed.

Thank you for your response once again!

Maxim

PS I sorry for all trying to run SVN version, because I missed to
commit one file on weekends and it didn't work. Now it have been
fixed.

2007/7/30, doug () hcsw org <doug () hcsw org>:
> Hi Max,
>
> This sounds like a really good idea. Especially with the pace
> of NSE script development, this should save everyone from having
> to download all of a new Nmap or install SVN just to get the
> latest and greatest.
>
> One thing to consider is when Nmap adds new functionality to
> NSE (like say, Marek's pcap patch) downloading new scripts that
> use this functionality will not work. Maybe scripts could
> optionally have a parameter "Requires at least 4.22 to
> work"?
>
> I notice that you are planning on performing MD5s and SHAs on the
> scripts. But for any sort of man in the middle attack it would be
> just as easy to change these sums as well as the script itself.
> Especially for users who plan on running this script and/or Nmap as
> a cron job, maybe the program could check to see if GPG is installed
> and, if so, verify PGP signatures? I think there is already an official
> Nmap PGP key. Since lua scripts can read/write files, open sockets, etc,
> all from a process running with root privileges, this could be an
> effective attack vector (just poison the DNS entry for insecure.org)
> for when the update script is run.
>
> Best,
>
> Doug
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFGrPQ53LTjmOMguVMRArMxAJ9rnwgkY1vo5PovD87N57X5PuE8xQCgjTeX
> ZBv/VouMQEfuwUMHPHXysDQ=
> =kWNF
> -----END PGP SIGNATURE-----


-- 
Max

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org