Re: [NSE] Script Pre-scanning and Post-scanning example

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[This email covers more general topics farther down]

On 08/06/2010 12:18 PM, Djalal Harouni wrote:
> Hi list,
>
> I've merged the Script Pre-scanning and Post-scanning phases to Nmap
> trunk. I hope that we'll see lot of scripts that make use of them.

After talking with Djalal, I've attached a patch to add prerule processing to
snmp-interfaces.  This patch adds the addresses of the host's interfaces to
Nmap target list in order to possibly expose any additional services running
on the host.  While this script requires the target adding changes present in
the nmap-exp/djalal/nmap-add-targets branch, Djalal is OK with me posting this
now.

You won't want to use this prerule all of the time with many ports (scanning
the same host multiple times, when many ports will be same), but it certainly
has its uses.

This is from a scan against 192.168.1.1 (using Djalal's branch) with script
args "newtargets,snmpinterfaces.server=192.168.1.1":

Pre-scan script results:
|_snmp-interfaces: Successfully added 3 new targets
Nmap scan report for 192.168.1.1
Host is up (0.022s latency).
PORT    STATE  SERVICE
21/tcp  open   ftp
22/tcp  closed ssh
23/tcp  closed telnet
80/tcp  open   http
443/tcp closed https

Nmap scan report for 192.168.10.6
Host is up (0.017s latency).
PORT    STATE  SERVICE
21/tcp  open   ftp
22/tcp  open   ssh
23/tcp  closed telnet
80/tcp  open   http
443/tcp closed https

ssh is only running on the added interface (Ethernet), which would stay
unknown if only 192.168.1.1 (SLIP) was scanned alone.

(Also notice that the script adds 3 new targets but only 1 (192.168.10.6) is
shown here.  Only one added host is scanned, but Djalal mentioned that he is
working on fixing this in his branch [thus I haven't tested multiple added
addresses].  These other addresses not added are actually the address we
probed and the host's localhost-- Nmap itself needs to make these checks to
keep this out of scripts.  Unfortunately I haven't yet checked Djalal's branch
to see what all is checked so far so I can't comment any further.)

Notes on this patch:

* The snmpinterfaces.server arg is required to specify the SNMP host to probe
for interface addresses.  An optional port arg is available to specify a port
other than 161.  This is just like the dns-zone-transfer changes.

* The pre-scan output is not the usual snmp-interfaces output, but rather just
a line stating how many targets were successfully added.  The prerule
functionality for this script in this patch is to add targets and so I thought
the output should pertain solely to that.

Notes in general:

* It started bothering me working on this patch that scripts could get quickly
cluttered with different branches for prerule, postrule, etc. when script
functionality may only be slightly related amongst phases.

A thought I had would be to check if a script offers functions named things
like postaction() and execute these hooks instead of action() in the post-scan
phase (for example)-- this way script authors have control on clutter and can
separate it with NSE easily obliging.  Scripts which don't have these hooks
are just called with action() like normal.

A counter-argument to this could be to just add more code to libraries and
have separate script to prerule and postrule if they are substantially
different enough to warrant things like postaction().  But the latter could
mean very specific things added to libraries which only these scripts would
use, which then just needlessly clutters libraries.

If all multiphase scripts are simple enough (it wouldn't make sense to use
postaction or something like that in my patch, for example) then this won't be
a problem, but some forethought may save future headaches.  Who knows, maybe
simply breaking up action() will always be best if the phases make it too messy.

* Djalal's work on these different phases seems to work well.  I've only
really tested with this patch (prerule), but I didn't have any problems.


Cheers,
Kris Katterjohn


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMYeycAAoJEEQxgFs5kUfuH3wP/j1wWHR0JcFUT6KqaUYEXgh6
LkGPYsrbU8l92J8WRLMuhEJwcYN8Ne/w8oRNovP/TGVs0vGHd4y3IjaYj8tOVt0I
03QiBwWhPhan49QHq4lyxvpafPwY4dzLHCUphQdKyCof8N+0ckLsBlxKHAKHa3Pb
D2xAQBj055uBkklDtIQca+S7pITDfnLW2fSVuR05FwK4fcyvXJXTURcBa+Y1L2nr
ucZPjz00ItRpTpzs1gRbEoYOggbqgO+j6mkHLMf5+sTamrf02Gagh7D5JGTATXTR
BUfEwbj0emwFXq1mHyeo3f7raqHpGlaDBkk5gwJ/wvcmgq1MKkuLS8fo2DHCUq8l
4++UnHTtszsvxV0wBrUDHxUGFUCpJJ4PwwTrynOtm1uXjtfjnAVk+l9q6+gDcnSX
cQVbfrP50o0vL9QHzAKqn2pL2u5byNpDapl4DRX3/rAIQCXMynOV/hT0NJuGkoka
QIhbEm/vrgbxHMkuu5tUEgJoyFuX3OW5AS9TLkVDUXdReX0B6jGDmSlGvjzbE7zm
yaB1CQH/SuRGVGcAbmcf5yf3qAHxQrl/rENTYEcYPbGe2zLj+zJKVcySHa28AmWU
Ac6pfTlS3AHsp/jdyoVDINlEbOUeqD6MyuDdx/1F00seJ3u4jVcqBqGTth0hGxjq
g7kxrqxaBk+NxEQZOzuq
=Tpl5
-----END PGP SIGNATURE-----

Attachment: snmp.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/