[Bug]? Script Directories 4.23RC3 on MSWin32

[jah <jah () zadkiel plus com>]

I would like, in certain circumstances, to force nmap not to run scripts 
that it would otherwise run automatically (category "version") and I've 
been experimenting with 4.23RC3.  Having re-read the docs on the 
subject, I decided that I'd start by pointing nmap at a directory 
containing zero scripts and found what I believe to be some odd things:

Nmap won't parse any arguments found after a quote enclosed, absolute 
path, to a directory containing zero or more scripts, if a backslash is 
appended to the path:

C:\>nmap --script "C:\Program Files\Nmap\scripts\" -sV --log-errors -p80 
192.168.1.1 -R --script-trace
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
Standard Time
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.047 seconds

C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace 
--script="C:\none\" -sV
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
SCRIPT ENGINE: Aborting script scan.
Interesting ports on 192.168.1.1:
PORT   STATE SERVICE
80/tcp open  http
MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
Nmap done: 1 IP address (1 host up) scanned in 0.156 seconds

In the second example above, version detection was not done.  Notice the 
trailing slash was consumed in the response from the script engine.

So escaping the trailing slash should work:

C:\>nmap --script "C:\Program Files\Nmap\scripts\\" -sV --log-errors 
-p80 192.168.1.1 -R --script-trace
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\Program 
Files\Nmap\scripts\'
SCRIPT ENGINE: Aborting script scan.
Interesting ports on 192.168.1.1:
PORT   STATE SERVICE    VERSION
80/tcp open  tcpwrapped
MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
Service detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.562 seconds

All are arguments parsed.  However, it doesn't like the absolute path to 
a directory in which the scripts reside.  (A nice hack for forcing nmap 
not to run scripts! because script scanning is immediately aborted)

I see "No such category, file or directory" for any absolute path to a 
directory whether it contains scripts (as in the above default script 
location examples) or not and regardless of spaces in the path (and 
hence quote enclosed),trailing slashes, direction of slashes and whether 
I supply --script=<path> or --script <path>.

I see the same issue with any absolute path to any file (.nse or otherwise).

I'd say absolute paths to scripts and scriptdirs are broken on windows!
This is also true in 4.22SOC8.



The docs say (http://insecure.org/nmap/man/man-version-detection.html):

    "Absolute paths are used as is, relative paths are searched in the
    following places until found: --datadir/; $(NMAPDIR)/; ~user/nmap/
    (not searched on Windows); NMAPDATADIR/ or ./"


Relative paths to script directories require a trailing backslash or else:
Fetchfile found C:\Program Files\Nmap\myscripts
LUA INTERPRETER in ..\nse_init.cc:706: cannot open C:\Program 
Files\Nmap\myscripts<script_name>.nse: No such file or directory

and the same error if --datadir is set to a path other than "." without 
the use of a trailing backslash.

Script scanning is immediately aborted in these cases which seems a bit 
odd because the use of relative paths don't override the use of scripts 
in $(NMAPDIR)/scripts and I would hope that the script engine could 
continue with these.


On a related note and a minor niggle, if --script version is supplied 
explicitly, without -sV, then execution only stops once the script 
scanning phase is reached at which point:
SCRIPT ENGINE: specifying the "version" category explicitely is not 
allowed. [sic]
QUITTING!
Wouldn't it be more consistent to check for this and to fail before any 
other scanning is performed?

An even more minor niggle - barely worth mentioning - When Version 
detection is performed, nmap finishes off by reporting "Service 
detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ ."
and I wonder if it might be more consistent to say service Version 
detection or just Version detection.



To summarise the main points, I believe that:

Absolute paths to scripts/dirs are not working.
Error if absolute dir paths end in backslash.
Error if relative dir paths don't end in backslash.



Now, if I may, a brief word on the reason I started this ramble in the 
first place.

Would it be generally agreeable to implement an argument such as 
--version-noscript which would give finer control over what scripts are 
run when -sV is used and would be independent of --version-intensity 
(which might be another way of doing it, but possibly not as good)?
Or how about a way to exclude any categor[y|ies] such as:
-sV --script all --script-exclude version,intrusive

There are times when I don't want to run certain scripts and in the 
future, there will doubtless be many many more scripts in the version 
category and version scanning speed may suffer as a result.


jah








_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org