Re: [RFC] Default NSE Scripts

["Kris Katterjohn" <katterjohn () gmail com>]

On 5/10/08, Fyodor <fyodor () insecure org> wrote:
> On Sat, May 10, 2008 at 03:53:43AM +0000, Brandon Enright wrote:
> > A few comments about your list below.
>
> Thanks Brandon, this is useful stuff!

Indeed--thanks, Brandon!

> > > * mswindowsShell - "backdoor"
> >
> > Hmm, I'm not sure why this script even exists.  In my experience,
> > Windows shells are rarely on port 8888, 4444 and 44444 are much more
> > common.  Also, the script doesn't do anything that the -sV NULL probe
> > can't match.  This script should probably be demo only.
>
> Good point.  In fact, we already have such a version detection probe:
>
> match winshell m/^Microsoft Windows ((2000)|(XP)|(NT 4\.0)) \[Version ([\d.]+)\]\r\n\(C\) Copyright 1985-20\d\d 
> Microsoft Corp\.\r\n\r\n/ p/Microsoft Windows $1 $5 cmd.exe/ o/Windows/ i/**BACKDOOR**/
>
> Removing this script sounds like the way to go, though making it
> demo-only is a reasonable alternative.

I'll put the script in "demo" when I start back working probably later
tonight (or remove it all together if desired).

> > > * RealVNC_auth_bypass - "backdoor"
> >
> > This script should be in the default category.  It is no more harmful
> > than the SSHv1 test.  It doesn't exploit and buffer or anything else of
> > that nature.  It also doesn't complete the login sequence like the
> > anonFTP script.  It simply checks to see if the VNC server supports the
> > NULL authentication option.
>
> Sounds like a good argument to me.

Sounds good to me, too.  I'll add that to the default list.

> Cheers,
> -F

Thanks,
Kris Katterjohn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org