Nmap Development mailing list archives

Re: [NSE] New class of scripts -- New Rule proposal

From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Tue, 29 Jun 2010 22:13:41 -0500

On Tue, Jun 29, 2010 at 12:14 AM, Fyodor <> wrote:

On Fri, Jun 25, 2010 at 03:35:02PM -0500, Daniel Miller wrote:

A way to get around the decision of whether/when to use the netscript's
discoveries to automatically add targets, a new -iC option could be
added (in the spirit of -iL, -iR), meaning "get targets from
netscripts". This avoids surprising someone who was not expecting to
scan those new targets, and also allows one to use the same script to
simply discover a list of hosts without scanning them.


That is certainly a good point.  We don't want Nmap going off and
expanding the scope of its scans beyond the expectations of its user.
It seems that most scripts which discover IP addresses could either
print those IPs in the results, or add them to the scan. We'd want to
support both.  We will have to think about it more concretely once we
have such scripts, but I imagine that the default will be to print the
IPs, and there will be a special --script-arg (common to all the
scripts which do this) which requests that newly discovered IPs be
added to the target list.

If a certain script arg becomes extremely popular, we can consider
giving it an Nmap option as syntactic sugar.  For example, the -iC you
proposed could be a shortcut for "--script-arg expandtargets" or
whatever.  I think the best order for figuring this out is:

o Add the functionality for scripts to add extra IPs for Nmap to scan.
o When writing such a script (particularly the first one), decide how
 it is most likely to be used, and how to control it with arguments.
o Follow the same model with other scripts unless there is a strong
 reason for divergent behavior.
o At some point we can consider adding short Nmap options for the most
 common script-args.

Cheers,
Fyodor


Maybe all of this could be used to implement a feature I've wanted to
see for a long time: the ability to automatically portscan the IPs
that show up in the --traceroute to your original target.

-Jason
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] New class of scripts -- New Rule proposal Djalal Harouni (Jun 24)
- Re: [NSE] New class of scripts -- New Rule proposal Fyodor (Jun 24)
  - Re: [NSE] New class of scripts -- New Rule proposal Ron (Jun 25)
    - Re: [NSE] New class of scripts -- New Rule proposal Djalal Harouni (Jun 26)
  - Re: [NSE] New class of scripts -- New Rule proposal Djalal Harouni (Jun 26)
- Re: [NSE] New class of scripts -- New Rule proposal Daniel Miller (Jun 25)
  - Re: [NSE] New class of scripts -- New Rule proposal Djalal Harouni (Jun 26)
  - Re: [NSE] New class of scripts -- New Rule proposal Fyodor (Jun 28)
    - Re: [NSE] New class of scripts -- New Rule proposal DePriest, Jason R. (Jun 29)
- Re: [NSE] New class of scripts -- New Net Rules proposal Djalal Harouni (Jun 26)
  - Re: [NSE] New class of scripts -- New Net Rules proposal Patrick Donnelly (Jun 26)
  - Re: [NSE] New class of scripts -- New Net Rules proposal Fyodor (Jun 28)