Re: Using Samba code?

[Fyodor <fyodor () insecure org>]

On Sat, Sep 27, 2008 at 11:28:44PM -0500, Ron wrote:
> Fyodor wrote:
>
> Maybe this is a separate topic altogether, but have the NSE developers
> looked at a way to distribute scripts yet, besides including them in an
> install? Like, having one or more repositories for scripts that can
> easily be downloaded/updated without updating Nmap itself.

I think 'svn up' is very easy and effective.  That's what I do every
morning.  It gets you all the new scripts, and you don't even need to
rebuild Nmap unless there was an important code change (I almost
always do just to be on the safe side since it only takes a couple
minutes).

Of course this doesn't help so much for (hypothetical) 3rd party
script repositories.  An NSE script could be written which contacts
other repositories and downloads the latest scripts.  There are also
the nmap-exp branches, such as Sven's, where developers can host their
latest scripts before they are merged.

> The downside to that would be malicious repositories. How do you
> guarantee that your automatically downloaded updates from non-Nmap
> repositories are actually safe?

We have OpenSSL to help verify that the scripts were not compromised
during download, but that doesn't stop a rogue repository operator
from including a trojan script.  Which would be dangerous, since NSE
scripts are not sandboxed.  So you certainly need to be very careful
about what scripts you run.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org