Re: [RFC] Default NSE Scripts

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Jah, thanks for the detailed comments!

jah wrote:
> On 09/05/2008 23:17, Kris Katterjohn wrote:
> > Instead of NSE running "safe" and "intrusive" scripts by default, I'm
> > creating a "default" category for this purpose.  This is important
> > because there are some safe and intrusive scripts that you wouldn't want
> > run by default (e.g. an obscure safe script or a slow intrusive script).
> Definitely a good idea, but your list for Default includes scripts that
> were never in Safe or Intrusive to begin with so I assume you're looking
> at any script for possible inclusion in the default category.  (Also,

That's my plan.  It shouldn't matter which category it is in as long as
it is "good enough" to be in default (I'll try to discuss this in more
detail below).

> UPnP-info seems to have gone AWOL).

D'oh!  Indeed it has.  Sorry about that!

> > 1) Quick
> How to measure this?  The only script I would call slow is bruteTelnet
> which is "Vulnerability".

I suppose I should've just said "not slow" rather than the even less
precise "quick".  Since this is all subjective, I would say that if a
script takes a very noticeably longer time than other "quick" scripts
then it probably shouldn't be in default, or if a script has a
noticeable effect on the overall scan's time.

> > 2) Generally Useful
> I reckon this is pretty subjective and I'd argue that it depends on the
> purpose of a given scan and the environment of the target.

Well, by "generally useful" I mean that quite a bit of people will find
it useful.  It produces interesting output for a protocol/service that's
not obscure so that it is /generally/ useful.

Take SNMPsysdesr, for example.  It won't run on /every/ scan, but when
it does run it produces (what I think to be) interesting output.  SNMP
is an example of a protocol that a lot of people recognize and will be
interested in.

> > 3) Not too intrusive
> How to measure this?  It could be "the likelihood of being logged" is a
> good measure, but that would be somewhat dependant on the target
> environment.  Brute forcing is obviously very intrusive because it's
> likely to be logged and there's multiple events from the same source in
> a short space of time, but otherwise, what constitutes "too intrusive"?

I would say anything that can be perceived as truly unlawful, seen as a
"real hacking attempt", does an excessive amount of probing, etc.

Good examples are bruteTelnet and SQLInject.


Unfortunately, these three are all subjective.  Especially #2.

> > Default:
> >
> > * dns-test-open-recursion - Is this useful enough?
> This is sometimes very useful, but is recursion found often enough to
> warrant running what is, I think, an intrusive script?

Good question.  I actually meant to ask "Is this useful often enough"
because I don't know how frequent it is.

> > * finger
> Isn't finger a bit obscure now?

It is, but I see finger running often enough that I think it's a good
default (though it's not terribly popular either).

> > * HTTPAuth - Is this too intrusive?
> It is intrusive, but it's always been run by default in the past, so why
> not?  But then again, it's not very often that it finds such weak
> security, so what's the point?

Well, it does print more information than just possible successful
logins.  One useful thing is that is tells that the server actually
requires authentication, and also things like the authentication type.

> > * ripeQuery
> This is a safe script with regard to the target, but RIPE might think it
> less so.  Especially as it would query RIPE for every target regardless
> of whether the target is in RIPE's allocation.  I think it should stay
> in discovery.

This is a script I kept switching between the lists.  I think you may be
right in that it's not be default material.  Anybody else want to chime
in on this one?

> + UPnP-info

I think so too.

> > Not Default:
> >
> > * HTTPpasswd - A bit too intrusive and probably not useful enough
> I can't see that there's much difference between this and HTTPAuth in
> terms of usefulness and intrusiveness.

Again, HTTPAuth does print more than information obtained from
intrusiveness.

> > * mswindowsShell - "backdoor"
> My vote is to ditch it too.

Done.

> > * SMTPcommands - I want this to be default, but it usually has a lot of
> > output
> This is currently run by default and I don't think the quantity of
> output should be grounds for omission if it's perceived to be useful.

Good point, but I just don't think that a default script should produce
a large amount of output like this one tends to.

Does anyone have an opinion on this?

> > * SSLv2-support - Produces quite a bit of output, and doesn't seem
> > useful enough for default
> I think this is quite useful and should remain default, but agree that
> the output is often more than required - perhaps it could be improved
> with nmap.verbosity().

I think that with an nmap.verbosity() change it may be good for default.

> > * zoneTrans - Just doesn't seem like default material IMO
> I think the argument for this is similar to the one for
> dns-test-open-recursion.

I don't know from experience, but looking at Wikipedia makes me think
that it's not frequent enough.

> Now in principle, I think it's a good idea to revisit the scripts that
> run by default, but perhaps some firm decision should be made about the
> level of intrusiveness permitted in a default scan, offset by the
> possible benefits.  In order to do that, there'd have to be some method
> for measuring levels of intrusiveness.  Not that I'm knocking the effort
> being made in this regard, not at all, but I think it's kind of skimming
> over a topic that probably needs looking at more deeply.
> I think a complete review of the Category system is due and I'd like to
> see some kind of Metrics system applied to scripts so that they can be
> selected based of degrees of intrusiveness and on degrees of
> usefulness.  Usefulness is rather too subjective, so perhaps benefits
> should be measured in probabilities of revealing meaningful information.
>
> If we could construct a method whereby a user can select scripts based
> on degrees of a various attributes they might themselves be able to
> decide upon the usefulness of a script or how intrusive/fast/deep
> they're willing to be.

Interesting! :)

> Best,
> jah

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSCYbXP9K37xXYl36AQLfDQ/+KYFfywVF8ZpesQhQ80HZopQQ+0sWULaS
nS74ynPf2Ltmbj7JsCHUN9eXqt3Zhf60XhM0djp/59M3qNF2Ygr4wFyWzb5mffcW
dSCBcjscLb0A4+YsDKvaLrhiSU+kZcyuSU24MR93vIVNQLrIMh85W30wOLjGy+1v
W53uAiyDmaKy2ARGsXCrZOm9lmBaBAKRePqrD5NQoqWwoKli5amiU5rhYG5FryOk
sRIRJT/KVN3gd5M91r9qT1JBu5i3yC8JmbudZ6sKgpAI+KLr7NiXb9qrT7zx+8Mt
FvehvrJ8kFejampdwbGVllxvzckBq3lDMKtqfqsp5HEbZhhbWwi4xK7zMWRX8P8m
lDdtacECdNwqqYafYUwwFs97nUVetq7AnQbPc8UwL7xOfNiM9Kl9kCheah4rmTc8
BI8+xt6waLbuHxCSuVQO7w2PilUDmqaE/P4OfMNCZLYu3PDhlMtDEEwCA/8JzFSl
MBVT/uVD0kOPMXA/K800w7RNulc0mO1qdEK62R6KjJycmZiitfKqQI+9ibfNrZ81
F7P9MJPmziLqzGd9IO8jfX5HXmFeHps+2kboKZ1bUSVutQ090LBHzg2e+5mne/XF
R9XKtFe1aC4ZvcRHsoTn5NtRH2PirKwAmEo2bLysi0uSBzX9AhB9N9O4OoOTRYua
w35hl0GgsEg=
=Z2g9
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org