Nmap Development mailing list archives

Re: [BUG] Exclusions directive not honored by NSE version detection

From: David Fifield <david () bamsoftware com>
Date: Mon, 17 May 2010 20:35:04 -0600

On Fri, Apr 30, 2010 at 05:16:59PM -0500, Tom Sellers wrote:

I have recently come across a bug involving port exclusions when  
performing version
detection.   I plan to work on finding a fix for the issue this weekend,  
but I thought I would go
ahead and send the info to the list now in the event that my work was  
delayed or someone
had an idea of exactly where the issue lay.

Recent scanning shows that the Exclude directive in the  
nmap-service-probes file is being
ignored by NSE version detection if more than one port is scanned on a  
host.  The nmap
built in version detection skips the port, but NSE runs version  
detection scripts against the
port anyway.

Testing indicates:
1.  Scanning 1 port in exclude list = proper behavior
2.  Scanning 2 ports in the exclude list = proper behavior
3.  Scanning 1 or more excluded ports and 1 or more non-excluded ports =  
NSE service scan against excluded ports


Are you sure about these conditions? It seems to me that NSE doesn't
honor the excluded ports in any case. I made a version script that runs
for every port,

description = ""
categories = {"version"}
portrule = function(host, port)
        return true
end
action = function(host, port)
        port.version.name = "version-run"
        port.version.product = "version script run"
        nmap.set_port_version(host, port, "hardmatched")
end

It looks like it runs no matter what.

$ ./nmap --datadir . -sV localhost -Pn -n -p 9100
PORT     STATE SERVICE     VERSION
9100/tcp open  version-run version script run

$ ./nmap --datadir . -sV localhost -Pn -n -p 9100,9101
PORT     STATE SERVICE     REASON  VERSION
9100/tcp open  version-run syn-ack version script run
9101/tcp open  version-run syn-ack version script run

$ ./nmap --datadir . -sV localhost -Pn -n -p 80,9100
PORT     STATE SERVICE     VERSION
80/tcp   open  version-run version script run
9100/tcp open  version-run version script run

(This is with Ncat listeners on the scanned ports.)

I guess it makes sense for version-category NSE scripts to use the same
exclusions as normal version detection, but I don't know that it has
come up before.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[BUG] Exclusions directive not honored by NSE version detection Tom Sellers (Apr 30)
- Re: [BUG] Exclusions directive not honored by NSE version detection David Fifield (May 17)
  - Re: [BUG] Exclusions directive not honored by NSE version detection Tom Sellers (May 22)
    - Re: [BUG] Exclusions directive not honored by NSE version detection Fyodor (May 24)
    - Re: [BUG] Exclusions directive not honored by NSE version detection Patrik Karlsson (May 24)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 17)
  - Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 17)
    - Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 17)
    - Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 17)
    - Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 19)
    - Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 19)
    - Re: [BUG] Exclusions directive not honored by NSE version detection Fyodor (Jun 20)

(Thread continues...)