Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Round 2: Update some scripts' categories

From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 12 Jul 2011 20:25:34 +0200

On Jul 12, 2011, at 7:59 PM, Djalal Harouni wrote:


In this second list I've tried to add the 'default' category to the
scripts which I think deserve it, however perhaps others will disagree
so feedback is welcome.


I've added some comments on the scripts that I know anything about.



This will affect Nmap's default behaviour.

o smb-mbenum.nse:
 -categories = {"discovery", "safe"}
 +categories = {"default", "discovery", "safe"}

 Add the default category if the script can get the info without
 authentication, especially if it can run without specific script
 arguments.


The script can run without any arguments but I have two concerns, that may not make it suitable for the default 
category.
1. In most cases, when run against a server that does not have a master browser role the script will return the name of 
the server under each and every category, like this:
Host script results:
| smb-mbenum: 
|   DFS Root
|     SERVER1  0.0  SERVER1
|   Potential Browser
|     SERVER1  0.0  SERVER1
|   Print server
|     SERVER1  0.0  SERVER1
|   Server
|     SERVER1  0.0  SERVER1
|   Server service
|     SERVER1  0.0  SERVER1
|   Unix server
|     SERVER1  0.0  SERVER1
|   Windows NT/2000/XP/2003 server
|     SERVER1  0.0  SERVER1
|   Workstation
|_    SERVER1  0.0  SERVER1

This doesn't really provide a lot of useful information in addition to being able to fingerprint the server as Terminal 
Server, SQL server etc.
However, there are other scripts or simply indication of open ports that may do this.
A potential solution would be to change the output to be more condensed if a single server is detected.

2. When run against a master browser it really provides a lot of value, as it will tell you the names of all available 
terminal servers, sql server, print servers etc. registered for that domain.
In order to know which server to query (the master browser) you need to discover it using the 
broadcast-netbios-master-browser script or another method of your choice.
When querying a master browser of a potentially large domain, this script may generate a *lot* of output which may or 
may not make it suitable for the default category.




o giop-info.nse
 -categories = {"discovery", "safe"}
 +categories = {"default", "discovery", "safe"}


This should be no problem.



o vnc-info.nse
 -categories = {"discovery", "safe"}
 +categories = {"default", "discovery", "safe"}


I think this is a good idea as it may discover servers not requiring a password for the VNC service.



o ncp-serverinfo.nse
 -categories = {"discovery", "safe"}
 +categories = {"default", "discovery", "safe"}


Sounds good to me.



o smb-security-mode.nse
 currently: {"discovery", "safe"}

 Perhaps we should add the 'vuln' category to this one.
 And if the script can retrieve that info without authentication, then
 perhaps we can make it in the 'default' category.

o afp-serverinfo.nse
 -categories = {"discovery", "safe"}
 +categories = {"default", "discovery", "safe"}

 If it can retrieve that info without authentication, then adding the
 'default' category seems ok for me.


Yes, this is all requested without authentication.
Adding it to default sounds reasonable to me.



Thanks.

-- 
tixxdz
http://opendz.org



//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: