Nmap Development mailing list archives
Re: [NSE] New class of scripts -- New Rule proposal
From: Djalal Harouni <tixxdz () gmail com>
Date: Sat, 26 Jun 2010 17:11:25 +0100
On 2010-06-25 15:35:02 -0500, Daniel Miller wrote:
A way to get around the decision of whether/when to use the netscript's discoveries to automatically add targets, a new -iC option could be added (in the spirit of -iL, -iR), meaning "get targets from netscripts". This avoids surprising someone who was not expecting to scan those new targets, and also allows one to use the same script to simply discover a list of hosts without scanning them.
Yes I think that a new Nmap option to do host discovery and activate the new netrules would be better, however we can have other scripts which do not add targets to Nmap but simply want to use the NMAP/NSE API or want to do some final results reporting, with these exampls I think that adding a one general option to activate the netrules and to run the new scripts is the best solution.
A contrived example: I want to perform a dns zone transfer, smb-enum-sessions, and a "showmount -a"-type script to generate a list of targets from just a couple known targets. I know that the UNIX hosts are in one subnet, and the Windows hosts in another. If I don't care about running a full scan against all hosts, I use the -iC option with --script="names-of-scripts". If I want to limit my exposure to detection by an IDS or a host firewall, I can use the same command line, but without -iC to get the list of targets. Then I can sort them by subnet, and then just scan -p135,139,445,3389 for Windows and -p21,22,23,111 for UNIX.
Yes the need of a new argument seems logic to me, but let me add this: With the current design to be able to add new targets to Nmap the script must have a netrule_pre (run the script before Nmap scans) and they must not count on the host and port tables. Perhaps in the future there will be support of NSE hostgroupe before/after scripts (in this case scripts can run multiple times). The new scripts/netrules are proposed due the limitation of the current solution: NSE scripts run after Nmap and depend on the host and port table, as an example we can't do broadcast operations. Just to clarify things from your example: nfs-showmount.nse script as you have stated can show new IPs, but this script will not run before Nmap because it needs a host IP and a port, in other words it depends on the host and port tables, and if we are only speaking about Pre-scan scripts (before Nmap) the only information passed to these scripts will be in the net table. If we add the NSE hostgroup before/after support, then in that case every hostrule or portrule script can add new targets which will be scanned by Nmap/NSE in the next phase. Of course we can simply add a netrule_pre rule to the current nfs-showmount.nse script so it will simply connects to the specified Nmap IP target and do its stuff before any Nmap scan (rDNS, port scan etc). This will be probably the case of when a script wants to use Nmap/NSE API and I think that this special case can introduce abuse of use. thx for your comments. -- tixxdz _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] New class of scripts -- New Rule proposal Djalal Harouni (Jun 24)
- Re: [NSE] New class of scripts -- New Rule proposal Fyodor (Jun 24)
- Re: [NSE] New class of scripts -- New Rule proposal Ron (Jun 25)
- Re: [NSE] New class of scripts -- New Rule proposal Djalal Harouni (Jun 26)
- Re: [NSE] New class of scripts -- New Rule proposal Djalal Harouni (Jun 26)
- Re: [NSE] New class of scripts -- New Rule proposal Ron (Jun 25)
- Re: [NSE] New class of scripts -- New Rule proposal Daniel Miller (Jun 25)
- Re: [NSE] New class of scripts -- New Rule proposal Djalal Harouni (Jun 26)
- Re: [NSE] New class of scripts -- New Rule proposal Fyodor (Jun 28)
- Re: [NSE] New class of scripts -- New Rule proposal DePriest, Jason R. (Jun 29)
- Re: [NSE] New class of scripts -- New Net Rules proposal Djalal Harouni (Jun 26)
- Re: [NSE] New class of scripts -- New Net Rules proposal Patrick Donnelly (Jun 26)
- Re: [NSE] New class of scripts -- New Net Rules proposal Fyodor (Jun 28)
- Re: [NSE] New class of scripts -- New Rule proposal Fyodor (Jun 24)