Re: [Bug]? Script Directories 4.23RC3 on MSWin32

[jah <jah () zadkiel plus com>]

Kris Katterjohn wrote:
> jah wrote:
> > I would like, in certain circumstances, to force nmap not to run 
> > scripts that it would otherwise run automatically (category 
> > "version") and I've been experimenting with 4.23RC3.  Having re-read 
> > the docs on the subject, I decided that I'd start by pointing nmap at 
> > a directory containing zero scripts and found what I believe to be 
> > some odd things:
> >
> > Nmap won't parse any arguments found after a quote enclosed, absolute 
> > path, to a directory containing zero or more scripts, if a backslash 
> > is appended to the path:
> >
> > C:\>nmap --script "C:\Program Files\Nmap\scripts\" -sV --log-errors 
> > -p80 192.168.1.1 -R --script-trace
> > Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
> > Standard Time
> > WARNING: No targets were specified, so 0 hosts scanned.
> > Nmap done: 0 IP addresses (0 hosts up) scanned in 0.047 seconds
> >
> > C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace 
> > --script="C:\none\" -sV
> > Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
> > Standard Time
> > SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
> > SCRIPT ENGINE: Aborting script scan.
> > Interesting ports on 192.168.1.1:
> > PORT   STATE SERVICE
> > 80/tcp open  http
> > MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
> > Nmap done: 1 IP address (1 host up) scanned in 0.156 seconds
> >
> > In the second example above, version detection was not done.  Notice 
> > the trailing slash was consumed in the response from the script engine.
> >
> > So escaping the trailing slash should work:
> >
> > C:\>nmap --script "C:\Program Files\Nmap\scripts\\" -sV --log-errors 
> > -p80 192.168.1.1 -R --script-trace
> > Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
> > Standard Time
> > SCRIPT ENGINE: No such category, file or directory: 'C:\Program 
> > Files\Nmap\scripts\'
> > SCRIPT ENGINE: Aborting script scan.
> > Interesting ports on 192.168.1.1:
> > PORT   STATE SERVICE    VERSION
> > 80/tcp open  tcpwrapped
> > MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
> > Service detection performed. Please report any incorrect results at 
> > http://insecure.org/nmap/submit/ .
> > Nmap done: 1 IP address (1 host up) scanned in 5.562 seconds
> >
> > All are arguments parsed.  However, it doesn't like the absolute path 
> > to a directory in which the scripts reside.  (A nice hack for forcing 
> > nmap not to run scripts! because script scanning is immediately aborted)
> >
> > I see "No such category, file or directory" for any absolute path to 
> > a directory whether it contains scripts (as in the above default 
> > script location examples) or not and regardless of spaces in the path 
> > (and hence quote enclosed),trailing slashes, direction of slashes and 
> > whether I supply --script=<path> or --script <path>.
> >
> > I see the same issue with any absolute path to any file (.nse or 
> > otherwise).
> >
> > I'd say absolute paths to scripts and scriptdirs are broken on windows!
> > This is also true in 4.22SOC8.
> >
> >
> >
> > The docs say (http://insecure.org/nmap/man/man-version-detection.html):
> >
> >     "Absolute paths are used as is, relative paths are searched in the
> >     following places until found: --datadir/; $(NMAPDIR)/; ~user/nmap/
> >     (not searched on Windows); NMAPDATADIR/ or ./"
> >
> >
> > Relative paths to script directories require a trailing backslash or 
> > else:
> > Fetchfile found C:\Program Files\Nmap\myscripts
> > LUA INTERPRETER in ..\nse_init.cc:706: cannot open C:\Program 
> > Files\Nmap\myscripts<script_name>.nse: No such file or directory
> >
> > and the same error if --datadir is set to a path other than "." 
> > without the use of a trailing backslash.
> >
> > Script scanning is immediately aborted in these cases which seems a 
> > bit odd because the use of relative paths don't override the use of 
> > scripts in $(NMAPDIR)/scripts and I would hope that the script engine 
> > could continue with these.
> >
> >
> > On a related note and a minor niggle, if --script version is supplied 
> > explicitly, without -sV, then execution only stops once the script 
> > scanning phase is reached at which point:
> > SCRIPT ENGINE: specifying the "version" category explicitely is not 
> > allowed. [sic]
> > QUITTING!
> > Wouldn't it be more consistent to check for this and to fail before 
> > any other scanning is performed?
> >
> > An even more minor niggle - barely worth mentioning - When Version 
> > detection is performed, nmap finishes off by reporting "Service 
> > detection performed. Please report any incorrect results at 
> > http://insecure.org/nmap/submit/ ."
> > and I wonder if it might be more consistent to say service Version 
> > detection or just Version detection.
> >
> >
> >
> > To summarise the main points, I believe that:
> >
> > Absolute paths to scripts/dirs are not working.
> > Error if absolute dir paths end in backslash.
> > Error if relative dir paths don't end in backslash.
>
> I can't test on Windows since I haven't run it (other than at school) 
> since the SoC, but it looks like a bug in the cmd.exe parsing of 
> quotes (") and escaped quotes (\").  Nmap is given what the command 
> interpreter gives it, and that's the problem :)
>
> This right here is what really makes me think so (from above):
>
> C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace
> --script="C:\none\" -sV
> Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
> Standard Time
> SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
> SCRIPT ENGINE: Aborting script scan.
>
> It grabs 'C:\none" -sV' for the directory, which isn't right.  UNIX 
> shells will give you a second prompt like "> " if you haven't finished 
> a quote or something (so you can finish it), but cmd.exe apparently 
> just sends the rest of the line to the program.

Yes, you could be on to something there because if I supply an absolute 
path with a backslash in zenmap, it doesn't complain.  It also doesn't 
do any script scanning though (with or without backslash).
If I supply a relative path without a backslash, it doesn't complain, 
but doesn't do any script scanning.
Zenmap doesn't display "fetchfile found" debug messages with -d3 (or -d 
-d -d) as nmap at cmd does.

jah

> Well, I'm kinda busy right now, but I wanted to share what I noticed.  
> I hope that helps.
>
> Thanks,
> Kris Katterjohn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org