Re: [NSE] New class of scripts -- New Rule proposal

[Djalal Harouni <tixxdz () gmail com>]

On 2010-06-25 15:35:02 -0500, Daniel Miller wrote:
> A way to get around the decision of whether/when to use the
> netscript's discoveries to automatically add targets, a new -iC
> option could be added (in the spirit of -iL, -iR), meaning "get
> targets from netscripts". This avoids surprising someone who was not
> expecting to scan those new targets, and also allows one to use the
> same script to simply discover a list of hosts without scanning
> them.
Yes I think that a new Nmap option to do host discovery and activate the
new netrules would be better, however we can have other scripts which do
not add targets to Nmap but simply want to use the NMAP/NSE API or want
to do some final results reporting, with these exampls I think that
adding a one general option to activate the netrules and to run the new
scripts is the best solution.

> A contrived example: I want to perform a dns zone transfer,
> smb-enum-sessions, and a "showmount -a"-type script to generate a
> list of targets from just a couple known targets. I know that the
> UNIX hosts are in one subnet, and the Windows hosts in another. If I
> don't care about running a full scan against all hosts, I use the
> -iC option with --script="names-of-scripts". If I want to limit my
> exposure to detection by an IDS or a host firewall, I can use the
> same command line, but without -iC to get the list of targets. Then
> I can sort them by subnet, and then just scan -p135,139,445,3389 for
> Windows and -p21,22,23,111 for UNIX.
Yes the need of a new argument seems logic to me, but let me add this:

With the current design to be able to add new targets to Nmap the
script must have a netrule_pre (run the script before Nmap scans) and
they must not count on the host and port tables.
Perhaps in the future there will be support of NSE hostgroupe 
before/after scripts (in this case scripts can run multiple times).

The new scripts/netrules are proposed due the limitation of the current
solution: NSE scripts run after Nmap and depend on the host and port table, 
as an example we can't do broadcast operations.


Just to clarify things from your example:
nfs-showmount.nse script as you have stated can show new IPs, but this
script will not run before Nmap because it needs a host IP and a port,
in other words it depends on the host and port tables, and if we are
only speaking about Pre-scan scripts (before Nmap) the only information
passed to these scripts will be in the net table. If we add the NSE
hostgroup before/after support, then in that case every hostrule or
portrule script can add new targets which will be scanned by Nmap/NSE in
the next phase.

Of course we can simply add a netrule_pre rule to the current
nfs-showmount.nse script so it will simply connects to the specified
Nmap IP target and do its stuff before any Nmap scan (rDNS, port scan etc).
This will be probably the case of when a script wants to use Nmap/NSE
API and I think that this special case can introduce abuse of use.

thx for your comments.

-- 
tixxdz
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/