Re: [NSE] New class of scripts -- New Rule proposal

[Ron <ron () skullsecurity net>]

On Thu, 24 Jun 2010 14:04:00 -0700 Fyodor <fyodor () insecure org> wrote:
> Note that this "Nmap will scan all the newly discovered subdomains and
> hostnames" part is a big change for Nmap proper.  Still, I think it is
> worth doing and is better than forcing people to run the script once
> to get the targets and then again to specify those targets.  The DNS
> zone transfer script example you gave is a good one.
I agree. I can see other cases, too, where a run-once-per-scan tool would be helpful, even if it doesn't feed ip 
addresses back into Nmap. 

> This will be a nice feature for Ron's California Vanity License plate
> script too (http://www.skullsecurity.org/blog/?p=723) :).  I always
> feel silly having to specify a target host when I run that, even
> though it is ignored.
Great use case!

> > o The scripts will run when the new --script-netscan Nmap option is
> > specified and when the netrule function evaluates to true, like the
> > version scan scripts which depend on the -sV option.
>
> Why not specify the scripts using --script like the host and port
> scripts?  I don't see any need to have a separate option for this.  I
> think the "default" category of these scripts (if we have any) should
> run by default just like default host and port scripts too.  And I
> think we should use the normal --script-args option for their
> arguments.
>
> > We can also have different new scripts which can run multiple times:
> > o Before any scanning.
> > o Before hostgroup NSE scan.
> > o After hostgroup NSE scan.
> > o After scanning all hostgroups.
>
> I think we should only have phases where we can demonstrate an
> important script which requires them (e.g. a use case).  In
> particular, what scripts do you have in mind for "Before hostgroup NSE
> scan" and "After hostgroup NSE scan" scripts?
It seems to me that anything that could potentially be an "after hostgroup" could be controlled with a script 
dependency. That would take a little more effort, though. 

> > Net table:
> > ----------
> > Information passed to the new net scripts is in the net lua table.
>
> If this information is unavailable in other ways, we should probably
> make it available to host/port scripts too in case they need it.
>
> Cheers,
> Fyodor

I've brought up a very similar idea a couple times, and I think it's a promising one. I'd really divide it into two 
concepts:
1. There should be a way for scripts to feed ip addresses back to Nmap (zone transfer on 53, dhcp broadcast, zeroconf, 
ntp-netmon, etc)
2. There should be a class of scripts that run once-per-scan (or once-per-hostgroup even?), and don't necessarily 
require any targets. 

I think we have enough use cases for both to justify further discussion/implementation. 
-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: _bin
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/