Nmap Development mailing list archives
Re: [RFC] Default NSE Scripts
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 10 May 2008 03:53:43 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A few comments about your list below. On Fri, 09 May 2008 17:17:44 -0500 or thereabouts Kris Katterjohn <katterjohn () gmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey everyone, Instead of NSE running "safe" and "intrusive" scripts by default, I'm creating a "default" category for this purpose. This is important because there are some safe and intrusive scripts that you wouldn't want run by default (e.g. an obscure safe script or a slow intrusive script). My current list is below, but any suggestions are welcome. I'm starting on the code and docs now. Scripts run by default should pretty much satisfy these: 1) Quick 2) Generally Useful 3) Not too intrusive 4) Not in "version" category since those are run with -sV Default:
* anonFTP
This logs into the FTP server. It may be hard to argue that port scanning is a crime but it's easy to argue that under the right circumstances, logging into a FTP server is unauthorized access.
* dns-test-open-recursion - Is this useful enough? * finger
* ftpbounce
Dangerous for the same reason as anonFTP
* HTTPAuth - Is this too intrusive? * HTTP_open_proxy * MSSQLm * MySQLinfo * nbstat * ripeQuery * robots * rpcinfo * showHTMLtitle * showOwner * SMTPsysdesr * SSHv1-support Not Default: * bruteTelnet - Too intrusive and slow * chargenTest - Obscure / "demo" * daytimeTest - Obscure / "demo" * echoTest - Obscure / "demo" * HTTPpasswd - A bit too intrusive and probably not useful enough * HTTPtrace - Not default material * iax2Detect - "version" * ircServerInfo - I don't think this is default material (but I'm also not an IRC user) * ircZombieTest - "malware" * kibuvDetection - "malware"
* mswindowsShell - "backdoor"
Hmm, I'm not sure why this script even exists. In my experience, Windows shells are rarely on port 8888, 4444 and 44444 are much more common. Also, the script doesn't do anything that the -sV NULL probe can't match. This script should probably be demo only.
* netbios-smb-os-detection - I want this to be default, but it's "version" * PPTPversion - "version" * promiscuous - I don't think it's useful enough
* RealVNC_auth_bypass - "backdoor"
This script should be in the default category. It is no more harmful than the SSHv1 test. It doesn't exploit and buffer or anything else of that nature. It also doesn't complete the login sequence like the anonFTP script. It simply checks to see if the VNC server supports the NULL authentication option.
* showHTTPversion - Obscure / only category is "" * showSMTPVersion - Obscure / "demo" * showSSHVersion - Obscure / "demo" * skype_v2-version - "version"
This script needs to be adjusted to be less conservative. I'll test and submit a patch.
* SMTPcommands - I want this to be default, but it usually has a lot of output * SMTP_openrelay_test - "demo" because of "real hostname" issue * SQLInject - Obvious reasons :) * SSLv2-support - Produces quite a bit of output, and doesn't seem useful enough for default * strangeSMTPport - Obscure / "backdoor" * xamppDefaultPass - "vulnerability" * zoneTrans - Just doesn't seem like default material IMO Any and all comments are appreciated, ranging from thinking the list is perfect to horrible :) Thanks, Kris Katterjohn
Overall I think having a default category is a really good idea. Thanks for working on this. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkglHE4ACgkQqaGPzAsl94J6awCfYrGiJk96D5qWQYqpDmqxlpuJ LLwAnRF1L7G4bPEqyKCeJzrv3oSM3j1o =iZyE -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [RFC] Default NSE Scripts Kris Katterjohn (May 09)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Brandon Enright (May 09)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Brandon Enright (May 09)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
- Re: [RFC] Default NSE Scripts Fyodor (May 10)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
- Re: [RFC] Default NSE Scripts Daniel Roethlisberger (May 12)
- Re: [RFC] Default NSE Scripts Arturo 'Buanzo' Busleiman (May 12)