Nmap Development mailing list archives
Re: script scanning question
From: Rob Nicholls <robert () robnicholls co uk>
Date: Sat, 24 Oct 2009 22:03:49 +0100
Hi Mike, It really depends on what's actually set in the port rules, as some scripts could potentially be set to only work when a certain port is detected (some services require specific source and/or destination ports, for example); but many of the existing scripts have port rules that are based on the type of service. For instance the html-title script has the following port rule: portrule = function(host, port) local svc = { std = { ["http"] = 1, ["http-alt"] = 1 }, ssl = { ["https"] = 1, ["https-alt"] = 1 } } if port.protocol ~= 'tcp' or not ( svc.std[port.service] or svc.ssl[port.service] ) then return false end As you can see, it doesn't mention specific port numbers, such as 80 or 443, and will run on ANY port that has been detected as an http (or https etc.) service. The scripts aren't entirely consistent as the http-auth script, for example, has a different port rule: portrule = shortport.port_or_service({80, 443, 8080}, {"http","https"}) This does have specific port numbers hardcoded into it, useful if the scan has been performed without version detection, but will again run on any port that's identified as http or https. The SMB scripts appear to use host rules rather than port rules, so the SMB scripts should run as long as a) they're chosen and b) an SMB port was identified. hostrule = function(host) return smb.get_port(host) ~= nil end So if someone had SMB ports open on a non-standard port (some weird port forwarding setup?), the scripts could potentially run against those ports, as long as the version detection was able to detect the service correctly (I haven't tried running SMB on a non-standard port to confirm that would work). In theory you could create the world's most vague port or host rule that forces a script to run on any/every open port, but Nmap tries to use the results of version detection to reduce the time the NSE scripts take to execute (as there's no point trying to run html-title against an SMB port!). If you think there are any scripts that have port rules that could be improved (e.g. if you think current ones are too restrictive) then hopefully we can correct them. Or you could modify the port rules yourself, as the LUA scripts can easily be opened in any text editor. Regards, Rob On Sat, 24 Oct 2009 19:57:28 +0000, mike <dmciscobgp () hotmail com> wrote:
all: i want to make sure i have this right before i delve into this question. when you run a script or a set of them, they are only called by the portrules they have for reference, correct? meaning when i complete a
scan
with "445" open, the scripts for "discovery" or the defaults would be calling those that handle SMB enumeration, right? well, as we know, a person can place a server on any port. is there a way to force our
scripts
to act on ANY port we specify? like if i had that port 445 discovered
but
wanted to throw something OTHER than SMB data at it, i cannot do that at this present time, right? i brought this up when i realized that when
you
call a -sV version scan, those probes (aabout 20 of them) will try and
run
on ANY port, not just a defined one. so is any of this possible to
change
in the future? once again, thank you! m|ke _________________________________________________________________ New Windows 7: Find the right PC for you. Learn more.
http://www.microsoft.com/windows/pc-scout/default.aspx?CBID=wl&ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_pcscout:102009
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- script scanning question mike (Oct 24)
- Re: script scanning question Rob Nicholls (Oct 24)