Re: [RFC] Default NSE Scripts

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A few comments about your list below.


On Fri, 09 May 2008 17:17:44 -0500 or thereabouts Kris Katterjohn
<katterjohn () gmail com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey everyone,
>
> Instead of NSE running "safe" and "intrusive" scripts by default, I'm
> creating a "default" category for this purpose.  This is important
> because there are some safe and intrusive scripts that you wouldn't
> want run by default (e.g. an obscure safe script or a slow intrusive
> script).
>
> My current list is below, but any suggestions are welcome.  I'm
> starting on the code and docs now.
>
> Scripts run by default should pretty much satisfy these:
>
> 1) Quick
> 2) Generally Useful
> 3) Not too intrusive
> 4) Not in "version" category since those are run with -sV
>
>
> Default:

> * anonFTP

This logs into the FTP server.  It may be hard to argue that port
scanning is a crime but it's easy to argue that under the right
circumstances, logging into a FTP server is unauthorized access.


> * dns-test-open-recursion - Is this useful enough?
> * finger

> * ftpbounce

Dangerous for the same reason as anonFTP

> * HTTPAuth - Is this too intrusive?
> * HTTP_open_proxy
> * MSSQLm
> * MySQLinfo
> * nbstat
> * ripeQuery
> * robots
> * rpcinfo
> * showHTMLtitle
> * showOwner
> * SMTPsysdesr
> * SSHv1-support
>
> Not Default:
>
> * bruteTelnet - Too intrusive and slow
> * chargenTest - Obscure / "demo"
> * daytimeTest - Obscure / "demo"
> * echoTest - Obscure / "demo"
> * HTTPpasswd - A bit too intrusive and probably not useful enough
> * HTTPtrace - Not default material
> * iax2Detect - "version"
> * ircServerInfo - I don't think this is default material (but I'm also
> not an IRC user)
> * ircZombieTest - "malware"
> * kibuvDetection - "malware"

> * mswindowsShell - "backdoor"

Hmm, I'm not sure why this script even exists.  In my experience,
Windows shells are rarely on port 8888, 4444 and 44444 are much more
common.  Also, the script doesn't do anything that the -sV NULL probe
can't match.  This script should probably be demo only.

> * netbios-smb-os-detection - I want this to be default, but it's
> "version"
> * PPTPversion - "version"
> * promiscuous - I don't think it's useful enough

> * RealVNC_auth_bypass - "backdoor"

This script should be in the default category.  It is no more harmful
than the SSHv1 test.  It doesn't exploit and buffer or anything else of
that nature.  It also doesn't complete the login sequence like the
anonFTP script.  It simply checks to see if the VNC server supports the
NULL authentication option.

> * showHTTPversion - Obscure / only category is ""
> * showSMTPVersion - Obscure / "demo"
> * showSSHVersion - Obscure / "demo"
> * skype_v2-version - "version"

This script needs to be adjusted to be less conservative.  I'll test
and submit a patch.

> * SMTPcommands - I want this to be default, but it usually has a lot
> of output
> * SMTP_openrelay_test - "demo" because of "real hostname" issue
> * SQLInject - Obvious reasons :)
> * SSLv2-support - Produces quite a bit of output, and doesn't seem
> useful enough for default
> * strangeSMTPport - Obscure / "backdoor"
> * xamppDefaultPass - "vulnerability"
> * zoneTrans - Just doesn't seem like default material IMO
>
>
> Any and all comments are appreciated, ranging from thinking the list
> is perfect to horrible :)
>
> Thanks,
> Kris Katterjohn

Overall I think having a default category is a really good idea.
Thanks for working on this.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkglHE4ACgkQqaGPzAsl94J6awCfYrGiJk96D5qWQYqpDmqxlpuJ
LLwAnRF1L7G4bPEqyKCeJzrv3oSM3j1o
=iZyE
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org