Re: do we really need all these SNMP scripts?

[Rob Nicholls <robert () robnicholls co uk>]

On Sat, 5 Feb 2011 22:10:06 +0100, Patrik Karlsson wrote:
> I don't see the point of implementing a replacement of the snmpwalk
> or osql commands as NSE scripts as I would much rather use the
> original tools to perform their tasks.

I'm lazy/efficient. If I can get Nmap to do everything (or at least 
most things), I don't have to worry about having all of these disparate 
tools installed to do the same thing, or having to try and read/parse 
the output (Nmap's XML output is valid, stable, reliable, useful).

Plus I can do things like use snmp-brute to identify the community 
string and then use the other scripts (including potentially an 
snmp-walk script if one were developed) to grab the data without having 
to run separate programs and manually (or write a script to) pass data 
between them. It's also typically easier to get output out of Nmap's XML 
file than parse the output from these different programs (which could, 
although they typically don't, change).

If you start going down the route of "use the original tools", then we 
could rule out several of the existing scripts (http-enum.nse or 
nikto.pl; snmp-interfaces.nse or snmp_ifaces.nasl or Getif; ssl-enum.nse 
or thcsslcheck or ssl_supported_ciphers.nasl; smb-* or enum.exe). I'm 
really glad we have them though (and in many cases they're more reliable 
and can support IPv6). But on the flip side, I agree that we shouldn't 
focus on creating scripts when there are already perfectly good 
alternatives. If someone happens to develop and submit them, or wants 
to, then great. I'm not going to discourage them. But I'd still prefer 
to see NSE scripts that do things that aren't - or can't be - done by 
anything else.

Again, just my late night thoughts :)

Rob

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/