Nmap Development mailing list archives

Re: Nmap SoC Ideas?

From: Ron <ron () skullsecurity net>
Date: Tue, 16 Mar 2010 07:34:12 -0500

While we're on the subject of cool new features, here's something else I've been thinking about for awhile...
o Automatic updater (for scripts/nselib, mainly)

There are many times when I find myself writing about how to update a specific script/library when a new vulnerability
comes out so people can find it. It'd be far easier for me (and people using Nmap) if there was a script repository
that they could easily update. Some ideas are:
o Use svn like Metasploit (not sure that would work for Nmap, but svn is nice for updating interpreted stuff)
o Use rsync like OpenVAS
o Use whatever Nessus does (I have no idea how Nessus does it)
o Use rss like podcasts do
o Have a repository that users can browse from within Zenmap, possibly using one of the above technologies. Users can
check through scripts, and automatically get the 'recommended' scripts (whatever that means).
o Allow scripts to be hosted externally by others (and maybe even signed, like Nessus -- maybe optionally?) so people
can do nmap --script-update=http://someothersite/scripts. rsync, rss, and other technologies would make that easy, but
it becomes a potential security issue.

It'd be cool if there could be different sources for scripts, especially for experimental scripts if somebody wants to
stay on the bleeding edge (scripts that haven't been added to svn yet and that need testing) -- it'd make it easier for
people to try out new scripts and give feedback before they're included.

Honestly, I don't think it suits scripts to be held back by Nmap's release cycle. Scripts are almost completely
independent of the Nmap core these days, and scripts are often time-sensitive (especially the vulnerability checkers),
and scripts have a bit of a different development model (faster turnaround, self contained). The Conficker script
really showed the weakness in basing scripts along with actual releases, when we had to do repeated releases just for a
script, when in Nessus or MSF it'd be a single command for the user to update.

Along with scripts, an auto-updater for data files (mac prefixes, version probes, upcoming udp payloads, etc) would
probably benefit users as well.

Thoughts?

On Sat, 13 Mar 2010 16:10:07 -0800 Fyodor <fyodor () insecure org> wrote:

Hi Folks.  It is that time of the year again for the Summer of Code!
I filled out the Google application yesterday.  Given that Nmap has
been accepted for all five previous Summers of Code, chances are that
we'll be accepted again.  But that is only the very beginning!  The
most important work right now is identifying the projects we want
accomplished this summer.  I already have some ideas, which I've
posted here:

http://nmap.org/soc/

That page has all the details, but here is a summary of the projects:

o Nmap Scripting Engine--Script Developer
o Nmap Cloud Scanning Platform
o Zenmap GUI Developer
o Feature Creepers and Bug Wranglers
o Nmap and Zenmap on Mobile Devices (iPhone, Android, Maemo, etc.)
o Nmap Scripting Engine--Infrastructure manager
o Ncrack Developer
o Nping Developer 

Those are all well and good, but I'd love to hear from the community
where you would like Nmap to go!  This is your chance to specify a
feature you've wanted and we may be able to find a college/grad
student to get it done!  The Summer of Code lasts just under 3 months,
but we can usually fit smaller tasks into larger projects (or "feature
creeper" appointments), and we have a long history of large projects
which take multiple years (Zenmap, NSE).

We're even willing to consider separate applications as long as they
fit with the rest of the Nmap suite.  After all, the latest SVN
version of Nmap now offers 5 utilities: Nmap, Zenmap, Ndiff, Ncat, and
(alpha version) Nping!  Plus we have the (alpha) Ncrack distributed
from http://nmap.org/ncrack/.

So let's hear your ideas!  I also welcome comments on the existing
projects listed on the page.  Remember that even the best students are
only as good (or at least as useful to the project) as the tasks we
put them to.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

RE: Nmap SoC Ideas?, (continued)
- - - RE: Nmap SoC Ideas? Dario Ciccarone (dciccaro) (Mar 15)
    - Re: Nmap SoC Ideas? Fyodor (Mar 15)
    - Re: Nmap SoC Ideas? Fyodor (Mar 21)
    - Re: Nmap SoC Ideas? (progress estimates) David Fifield (Mar 21)
    - Re: Nmap SoC Ideas? (progress estimates) Ron (Mar 21)
  - Re: Nmap SoC Ideas? Kris Katterjohn (Mar 14)
    - Re: Nmap SoC Ideas? Fyodor (Mar 14)
    - Re: Nmap SoC Ideas? Kris Katterjohn (Mar 15)
    - Re: Nmap SoC Ideas? Michael Pattrick (Mar 15)
- Re: Nmap SoC Ideas? Ron (Mar 14)
- Re: Nmap SoC Ideas? Ron (Mar 16)
- Re: Nmap SoC Ideas? liu xiaohui (Mar 17)
  - Re: Nmap SoC Ideas? David Fifield (Mar 17)
    - Re: Nmap SoC Ideas? Henri Salo (Mar 17)
    - Re: Nmap SoC Ideas? liu xiaohui (Mar 17)
    - Re: Nmap SoC Ideas? liu xiaohui (Mar 17)
- Re: Nmap SoC Ideas? Fyodor (Mar 20)
  - Re: Nmap SoC Ideas? Ron (Mar 20)
    - Re: Nmap SoC Ideas? Rahul Golwalkar (Mar 20)
    - Re: Nmap SoC Ideas? Fyodor (Mar 21)
    - Re: Nmap SoC Ideas? Fyodor (Mar 20)

(Thread continues...)