Nmap Development mailing list archives
Re: [Bug]? Script Directories 4.23RC3 on MSWin32
From: jah <jah () zadkiel plus com>
Date: Fri, 07 Dec 2007 22:38:21 +0000
Kris Katterjohn wrote:
jah wrote:I would like, in certain circumstances, to force nmap not to run scripts that it would otherwise run automatically (category "version") and I've been experimenting with 4.23RC3. Having re-read the docs on the subject, I decided that I'd start by pointing nmap at a directory containing zero scripts and found what I believe to be some odd things: Nmap won't parse any arguments found after a quote enclosed, absolute path, to a directory containing zero or more scripts, if a backslash is appended to the path: C:\>nmap --script "C:\Program Files\Nmap\scripts\" -sV --log-errors -p80 192.168.1.1 -R --script-trace Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT Standard Time WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 0.047 seconds C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace --script="C:\none\" -sV Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT Standard Time SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV' SCRIPT ENGINE: Aborting script scan. Interesting ports on 192.168.1.1: PORT STATE SERVICE 80/tcp open http MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX) Nmap done: 1 IP address (1 host up) scanned in 0.156 seconds In the second example above, version detection was not done. Notice the trailing slash was consumed in the response from the script engine. So escaping the trailing slash should work: C:\>nmap --script "C:\Program Files\Nmap\scripts\\" -sV --log-errors -p80 192.168.1.1 -R --script-trace Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT Standard Time SCRIPT ENGINE: No such category, file or directory: 'C:\Program Files\Nmap\scripts\' SCRIPT ENGINE: Aborting script scan. Interesting ports on 192.168.1.1: PORT STATE SERVICE VERSION 80/tcp open tcpwrapped MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX) Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap done: 1 IP address (1 host up) scanned in 5.562 seconds All are arguments parsed. However, it doesn't like the absolute path to a directory in which the scripts reside. (A nice hack for forcing nmap not to run scripts! because script scanning is immediately aborted) I see "No such category, file or directory" for any absolute path to a directory whether it contains scripts (as in the above default script location examples) or not and regardless of spaces in the path (and hence quote enclosed),trailing slashes, direction of slashes and whether I supply --script=<path> or --script <path>. I see the same issue with any absolute path to any file (.nse or otherwise). I'd say absolute paths to scripts and scriptdirs are broken on windows! This is also true in 4.22SOC8. The docs say (http://insecure.org/nmap/man/man-version-detection.html): "Absolute paths are used as is, relative paths are searched in the following places until found: --datadir/; $(NMAPDIR)/; ~user/nmap/ (not searched on Windows); NMAPDATADIR/ or ./" Relative paths to script directories require a trailing backslash or else: Fetchfile found C:\Program Files\Nmap\myscripts LUA INTERPRETER in ..\nse_init.cc:706: cannot open C:\Program Files\Nmap\myscripts<script_name>.nse: No such file or directory and the same error if --datadir is set to a path other than "." without the use of a trailing backslash. Script scanning is immediately aborted in these cases which seems a bit odd because the use of relative paths don't override the use of scripts in $(NMAPDIR)/scripts and I would hope that the script engine could continue with these. On a related note and a minor niggle, if --script version is supplied explicitly, without -sV, then execution only stops once the script scanning phase is reached at which point: SCRIPT ENGINE: specifying the "version" category explicitely is not allowed. [sic] QUITTING! Wouldn't it be more consistent to check for this and to fail before any other scanning is performed? An even more minor niggle - barely worth mentioning - When Version detection is performed, nmap finishes off by reporting "Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ ." and I wonder if it might be more consistent to say service Version detection or just Version detection. To summarise the main points, I believe that: Absolute paths to scripts/dirs are not working. Error if absolute dir paths end in backslash. Error if relative dir paths don't end in backslash.I can't test on Windows since I haven't run it (other than at school) since the SoC, but it looks like a bug in the cmd.exe parsing of quotes (") and escaped quotes (\"). Nmap is given what the command interpreter gives it, and that's the problem :) This right here is what really makes me think so (from above): C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace --script="C:\none\" -sV Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT Standard Time SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV' SCRIPT ENGINE: Aborting script scan. It grabs 'C:\none" -sV' for the directory, which isn't right. UNIX shells will give you a second prompt like "> " if you haven't finished a quote or something (so you can finish it), but cmd.exe apparently just sends the rest of the line to the program.
Yes, you could be on to something there because if I supply an absolute path with a backslash in zenmap, it doesn't complain. It also doesn't do any script scanning though (with or without backslash). If I supply a relative path without a backslash, it doesn't complain, but doesn't do any script scanning. Zenmap doesn't display "fetchfile found" debug messages with -d3 (or -d -d -d) as nmap at cmd does. jah
Well, I'm kinda busy right now, but I wanted to share what I noticed. I hope that helps. Thanks, Kris Katterjohn
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [Bug]? Script Directories 4.23RC3 on MSWin32 jah (Dec 07)
- Re: [Bug]? Script Directories 4.23RC3 on MSWin32 Kris Katterjohn (Dec 07)
- Re: [Bug]? Script Directories 4.23RC3 on MSWin32 jah (Dec 07)
- Re: [Bug]? Script Directories 4.23RC3 on MSWin32 David Fifield (Dec 08)
- Re: [Bug]? Script Directories 4.23RC3 on MSWin32 jah (Dec 09)
- Re: [Bug]? Script Directories 4.23RC3 on MSWin32 Fyodor (Dec 09)
- Re: [Bug]? Script Directories 4.23RC3 on MSWin32 jah (Dec 09)
- Re: [Bug]? Script Directories 4.23RC3 on MSWin32 jah (Dec 09)
- Re: [Bug]? Script Directories 4.23RC3 on MSWin32 jah (Dec 09)
- Re: [Bug]? Script Directories 4.23RC3 on MSWin32 David Fifield (Dec 14)
- Re: [Bug]? Script Directories 4.23RC3 on MSWin32 Kris Katterjohn (Dec 07)