Nmap Development mailing list archives
Re: [BUG] Exclusions directive not honored by NSE version detection
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sat, 19 Jun 2010 18:52:25 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 19 Jun 2010 14:07:49 +0100 Djalal Harouni <tixxdz () gmail com> wrote:
On 2010-06-17 17:41:37 -0500, Kris Katterjohn wrote:I don't know what all has been discussed in the NSE meetings pertaining to this problem, but why was it decided to use scripts and libraries to handle this sort of thing? I see Fyodor's comments[1] stating he prefers this way, but while I agree other scripts could potentially find this data useful, it seems like this may be the wrong way to go when Version scripts seem to be treated very specially anyway. By this I mean, what was discussed on having NSE examine the exclude list before checking portrules? I have never had a grasp on the inner workings of NSE, but couldn't it just not pass the excluded ports to scripts in the version category? Then the --allports option can be used to change this just like for service detection.If we do that, this will probably mean that we'll pass and parse the excluded directive two times, one for Nmap version scan and the other one for NSE version scan. The excluded ports list is already in memory stored in the *excludedports* scan_list, and the AllProbes::isExcluded() will simply check it's argument (port and protocol) if they are in the *excludedports*, so we don't need to parse them again simply export a NSE function which will call isExcluded() and returns a boolean to NSE scripts to let them know if the port/protocol are in the *excludedports*. The --allports option is also honored by this patch.
I don't think you understood what I meant, or I'm misunderstanding you. I don't know what you mean by parsing it again, because I simply mean that version scripts needn't know about the exclusion list by necessity... NSE just won't run version scripts on excluded ports without --allports. While this is special behavior for version scripts, these scripts are already deemed special (quoting the Nmap book): "The scripts in this special category are an extension to the version detection feature and cannot be selected explicitly." So instead of adding all of these functions and requiring version scripts to make special calls if they want to check for exclusion, just have NSE skip that port/script combo and be done with it. This is modified from the end of nse_main.lua (add comment and strip): - -- Check portrules for this host. for port in cnse.ports(host) do for i, script in ipairs(chosen_scripts) do -- Perhaps add version/exclude/allports logic here? local thread = script:new_thread("portrule",tcopy(host),tcopy(port)); if thread then ... end end end Would it not be possible to add something like "if script.categories contains 'version' and this port is excluded and --allports wasn't specified, then go to the next one" ? Or am I confused and oversimplifying things? (Note that I only guess this is where this logic would go, but it seems OK at first glance-- it's just a starting point anyway). When it comes to adding a few lines here vs changing script portrules and adding new functions and requirements for "exclusion conforming" scripts, then I think I'm surely just mistaken but I don't understand what the problem is. Is it because the scripts don't have a choice in the matter? Again, they are just "an extension to the version detection feature" and the exclusion rule is an important part of it. Of course this doesn't stop the exclusion list from being available for any scripts to use on their own, if desired. If I'm just beating a dead horse because I'm confused or missing something said from an NSE meeting, please just tell me ;) I have a feeling there is some obvious flaw in my suggestion that I'm just not seeing right now. Cheers, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJMHVg5AAoJEEQxgFs5kUfuYNMP/jaPMCBYUCjTVjJ+xb9nxhvy bl2iQt7G2Y1igqoDEHxU66X6t/stQuPs6DDPtbyeRc6kU9SKoSmwhHl6E9vkFHZt OiRZgBqHbjQiTmOFW2rRfz0Ekkck0dbut50577SJWfVshwcMlllLOlr4pykdwSdP jB7czIdHUuVqLhN1ByWeRoLbQbnQ3b+K1aW/XznKyt4EUgjYBnOZpleBbY3/6do1 O6qoNk/JqMkVQw4wJQKyBh4Mfoakw27nIvo+MFRHSbxAiW+8ooSp8716RxvWfb0R b1Y3geW3+Ku3ZGOK7G0/KRvO52H+G7z+CuYFifW4yeQzlJQ3/z/k/y4sBAQGoOP4 P844SDXgQg7OW4LlXE45IZpZky9MexZmgGKjTVNYVMgN816aJd28NyWom+aaC5K+ DR2XF5ByJ5HsinACC/lhXLY7lsO3ToaidupzU/CMyBxbbhBy8kSMZslXZV3Mqf/T tfBGzWXpZtj5e0dm4IVpkG0VQ3DBKc5Rrtzu2TNecZrsNLl/Zo+ZH5jfsTdu3ckB D/XJUC6ZkUGzEzDTxgCXF9OplFycPIC6Xe/5H4vdnt165axQ4t/BrU5iDBNQyOOE mF27cYHssDx3p9wdKy9KZ7+zEdzxKcfDIXpfPF2+IQiX2V5CN9jzY2gGY+WJu2Ln 9XVDDnBCHKmpqGNdZi5Z =4mj7 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [BUG] Exclusions directive not honored by NSE version detection Tom Sellers (Apr 30)
- Re: [BUG] Exclusions directive not honored by NSE version detection David Fifield (May 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Tom Sellers (May 22)
- Re: [BUG] Exclusions directive not honored by NSE version detection Fyodor (May 24)
- Re: [BUG] Exclusions directive not honored by NSE version detection Patrik Karlsson (May 24)
- Re: [BUG] Exclusions directive not honored by NSE version detection Tom Sellers (May 22)
- Re: [BUG] Exclusions directive not honored by NSE version detection David Fifield (May 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 19)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 19)
- Re: [BUG] Exclusions directive not honored by NSE version detection Fyodor (Jun 20)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 20)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 20)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 29)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 21)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 26)
- <Possible follow-ups>
- Fwd: [BUG] Exclusions directive not honored by NSE version detection Tom Sellers (May 14)