Re: script scanning question

[Rob Nicholls <robert () robnicholls co uk>]

Hi Mike,

It really depends on what's actually set in the port rules, as some
scripts could potentially be set to only work when a certain port is
detected (some services require specific source and/or destination ports,
for example); but many of the existing scripts have port rules that are
based on the type of service. For instance the html-title script has the
following port rule:

portrule = function(host, port)
    local svc = { std = { ["http"] = 1, ["http-alt"] = 1 },
                ssl = { ["https"] = 1, ["https-alt"] = 1 } }
    if port.protocol ~= 'tcp'
    or not ( svc.std[port.service] or svc.ssl[port.service] ) then
        return false
    end

As you can see, it doesn't mention specific port numbers, such as 80 or
443, and will run on ANY port that has been detected as an http (or https
etc.) service.

The scripts aren't entirely consistent as the http-auth script, for
example, has a different port rule:

portrule = shortport.port_or_service({80, 443, 8080}, {"http","https"})

This does have specific port numbers hardcoded into it, useful if the scan
has been performed without version detection, but will again run on any
port that's identified as http or https.

The SMB scripts appear to use host rules rather than port rules, so the
SMB scripts should run as long as a) they're chosen and b) an SMB port was
identified.

hostrule = function(host)
        return smb.get_port(host) ~= nil
end

So if someone had SMB ports open on a non-standard port (some weird port
forwarding setup?), the scripts could potentially run against those ports,
as long as the version detection was able to detect the service correctly
(I haven't tried running SMB on a non-standard port to confirm that would
work).

In theory you could create the world's most vague port or host rule that
forces a script to run on any/every open port, but Nmap tries to use the
results of version detection to reduce the time the NSE scripts take to
execute (as there's no point trying to run html-title against an SMB
port!).

If you think there are any scripts that have port rules that could be
improved (e.g. if you think current ones are too restrictive) then
hopefully we can correct them. Or you could modify the port rules yourself,
as the LUA scripts can easily be opened in any text editor.

Regards,

Rob

On Sat, 24 Oct 2009 19:57:28 +0000, mike <dmciscobgp () hotmail com> wrote:
> all:
>
>  
>
> i want to make sure i have this right before i delve into this question.
> when you run a script or a set of them, they are only called by the
> portrules they have for reference, correct? meaning when i complete a
scan
> with "445" open, the scripts for "discovery" or the defaults would be
> calling those that handle SMB enumeration, right? well, as we know, a
> person can place a server on any port. is there a way to force our
scripts
> to act on ANY port we specify? like if i had that port 445 discovered
but
> wanted to throw something OTHER than SMB data at it, i cannot do that at
> this present time, right? i brought this up when i realized that when
you
> call a -sV version scan, those probes (aabout 20 of them) will try and
run
> on ANY port, not just a defined one. so is any of this possible to
change
> in the future?
>
>  
>
> once again, thank you!
>
> m|ke
>                                         
> _________________________________________________________________
> New Windows 7: Find the right PC for you. Learn more.
http://www.microsoft.com/windows/pc-scout/default.aspx?CBID=wl&ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_pcscout:102009
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/