Re: [BUG] Exclusions directive not honored by NSE version detection

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 19 Jun 2010 14:07:49 +0100
Djalal Harouni <tixxdz () gmail com> wrote:
> On 2010-06-17 17:41:37 -0500, Kris Katterjohn wrote:
> > I don't know what all has been discussed in the NSE meetings
> > pertaining to this problem, but why was it decided to use scripts
> > and libraries to handle this sort of thing?  I see Fyodor's
> > comments[1] stating he prefers this way, but while I agree other
> > scripts could potentially find this data useful, it seems like this
> > may be the wrong way to go when Version scripts seem to be treated
> > very specially anyway.
> >
> > By this I mean, what was discussed on having NSE examine the exclude
> > list before checking portrules?  I have never had a grasp on the
> > inner workings of NSE, but couldn't it just not pass the excluded
> > ports to scripts in the version category?  Then the --allports
> > option can be used to change this just like for service detection.
> If we do that, this will probably mean that we'll pass and parse the
> excluded directive two times, one for Nmap version scan and the other
> one for NSE version scan. The excluded ports list is already in memory
> stored in the *excludedports* scan_list, and the
> AllProbes::isExcluded() will simply check it's argument (port and
> protocol) if they are in the *excludedports*, so we don't need to
> parse them again simply export a NSE function which will call
> isExcluded() and returns a boolean to NSE scripts to let them know if
> the port/protocol are in the *excludedports*. The --allports option
> is also honored by this patch.

I don't think you understood what I meant, or I'm misunderstanding
you.  I don't know what you mean by parsing it again, because I simply
mean that version scripts needn't know about the exclusion list by
necessity... NSE just won't run version scripts on excluded ports
without --allports.

While this is special behavior for version scripts, these scripts are
already deemed special (quoting the Nmap book): "The scripts in this
special category are an extension to the version detection feature and
cannot be selected explicitly."

So instead of adding all of these functions and requiring version
scripts to make special calls if they want to check for exclusion, just
have NSE skip that port/script combo and be done with it.

This is modified from the end of nse_main.lua (add comment and strip):

- -- Check portrules for this host.
for port in cnse.ports(host) do
  for i, script in ipairs(chosen_scripts) do
    -- Perhaps add version/exclude/allports logic here?
    local thread = script:new_thread("portrule",tcopy(host),tcopy(port));
    if thread then
      ...
    end
  end
end


Would it not be possible to add something like "if script.categories
contains 'version' and this port is excluded and --allports wasn't
specified, then go to the next one" ?

Or am I confused and oversimplifying things?  (Note that I only guess
this is where this logic would go, but it seems OK at first glance--
it's just a starting point anyway).

When it comes to adding a few lines here vs changing script portrules
and adding new functions and requirements for "exclusion conforming"
scripts, then I think I'm surely just mistaken but I don't understand
what the problem is.  Is it because the scripts don't have a choice in
the matter?  Again, they are just "an extension to the version
detection feature" and the exclusion rule is an important part of it.
Of course this doesn't stop the exclusion list from being available for
any scripts to use on their own, if desired.

If I'm just beating a dead horse because I'm confused or missing
something said from an NSE meeting, please just tell me ;)  I have a
feeling there is some obvious flaw in my suggestion that I'm just not
seeing right now.

Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMHVg5AAoJEEQxgFs5kUfuYNMP/jaPMCBYUCjTVjJ+xb9nxhvy
bl2iQt7G2Y1igqoDEHxU66X6t/stQuPs6DDPtbyeRc6kU9SKoSmwhHl6E9vkFHZt
OiRZgBqHbjQiTmOFW2rRfz0Ekkck0dbut50577SJWfVshwcMlllLOlr4pykdwSdP
jB7czIdHUuVqLhN1ByWeRoLbQbnQ3b+K1aW/XznKyt4EUgjYBnOZpleBbY3/6do1
O6qoNk/JqMkVQw4wJQKyBh4Mfoakw27nIvo+MFRHSbxAiW+8ooSp8716RxvWfb0R
b1Y3geW3+Ku3ZGOK7G0/KRvO52H+G7z+CuYFifW4yeQzlJQ3/z/k/y4sBAQGoOP4
P844SDXgQg7OW4LlXE45IZpZky9MexZmgGKjTVNYVMgN816aJd28NyWom+aaC5K+
DR2XF5ByJ5HsinACC/lhXLY7lsO3ToaidupzU/CMyBxbbhBy8kSMZslXZV3Mqf/T
tfBGzWXpZtj5e0dm4IVpkG0VQ3DBKc5Rrtzu2TNecZrsNLl/Zo+ZH5jfsTdu3ckB
D/XJUC6ZkUGzEzDTxgCXF9OplFycPIC6Xe/5H4vdnt165axQ4t/BrU5iDBNQyOOE
mF27cYHssDx3p9wdKy9KZ7+zEdzxKcfDIXpfPF2+IQiX2V5CN9jzY2gGY+WJu2Ln
9XVDDnBCHKmpqGNdZi5Z
=4mj7
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/