Nmap Development mailing list archives

Script suggestions, take #3

From: Martin Holst Swende <martin () swende se>
Date: Sat, 04 Feb 2012 22:28:34 +0100

Hi list,

I have now re-added script-suggest based on the latest head, which had
changed quite a bit with the additions of force and script-args-file. I
also fixed the issue where the suggestions weren't run if no script was
selected. Quite a few files are modified (mostly minor), most work is in
nse_main.lua. I had to refactor it a bit in order to first load normal
scripts, then load "suggestable" scripts in a second batch, which meant
separating the loader into a separate function.

Example output:

nmap scanme.nmap.org --script-suggest "auth and not vuln" -p80

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-04 22:23 CET
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.19s latency).
PORT   STATE SERVICE
80/tcp open  http
| script-suggest:
|   citrix-brute-xml {intrusive,auth}
|   http-auth {default,auth,safe}
|   http-default-accounts {discovery,auth,safe}
|   http-domino-enum-passwords {intrusive,auth}
|_  http-userdir-enum {auth,intrusive}
 
I consider this feature finished, but would like some more eyes on it,
especially where I've touched the nse core stuff. Hoping to make this
stuff my first commit :)

Attached the svn diff.

Regards,
Martin



On 12/02/2011 08:35 AM, Martin Holst Swende wrote:

On 11/28/2011 01:52 AM, David Fifield wrote:

On Sun, Nov 27, 2011 at 10:34:44PM +0000, Duarte Silva wrote:

The script option may be specified without arguments. So if you could take it 
as an example I guees it would make your live easier ;)

--script requires an argument. You may be thinking of -sC (which is
really the short option -s taking the argument "C" in disguise).

It's possible to have options that take optional arguments, but I don't
think we should because it works in a suprising way. It requires you to
use '=' instead of a space after the option.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


I now have it almost ready. This is the second attempt to send this, the first
mail was rejected (it was a bit too large) .

Below is some sample output. I have some
problems getting the script engine to run if I dont simultaneously use a
real script. The nse_main loads just fine, but it the correct
entry-point does not seem to load (either that, or there is no thread
created for it). Will look into it more, but if anyone has any pointers
that'd be great.

Attached are the modified files, so you can test it
yourselves. I added some stuff to nse_utility which I'm sure could use
an extra pair of eyes. Other than that, the largest modifications are in
nse_main, but most of it comes from me having to break up a function in
order to reuse it for both script- and script-suggest rules.
Oh, and the old force-stuff is in there aswell, though I haven't done
anything more on that. I can provide separate patches later, but as I
said, this is mostly for testing and not commit-ready anyway.

It should work fine with at least r27295.

nmap scanme.nmap.org -p22,80,21,554,9929 --script http-title -sCS -d -v -n

PORT     STATE  SERVICE    REASON
21/tcp   closed ftp        conn-refused
22/tcp   open   ssh        syn-ack
| script-suggest:
|   banner {discovery,safe}
|   ssh-hostkey {safe,default,discovery}
|   ssh2-enum-algos {safe,discovery}
|   sshv1 {default,safe}
|_  unusual-port {safe}
80/tcp   open   http       syn-ack
|_http-title: Go ahead and ScanMe!
| script-suggest:
|   banner {discovery,safe}
|   citrix-brute-xml {intrusive,auth}
|   citrix-enum-apps-xml {discovery,safe}
|   citrix-enum-servers-xml {discovery,safe}
|   http-affiliate-id {safe,discovery}
|   http-auth {default,auth,safe}
|   http-awstatstotals-exec {vuln,intrusive,exploit}
|   http-axis2-dir-traversal {vuln,intrusive,exploit}
|   http-brute {intrusive,brute}
|   http-cakephp-version {discovery,safe}
|   http-cors {default,discovery,safe}
|   http-date {discovery,safe}
|   http-default-accounts {discovery,auth,safe}
|   http-enum {discovery,intrusive,vuln}
|   http-favicon {default,discovery,safe}
|   http-form-brute {intrusive,brute}
|   http-google-malware {malware,discovery,safe,external}
|   http-headers {discovery,safe}
|   http-iis-webdav-vuln {vuln,intrusive}
|   http-joomla-brute {intrusive,brute}
|   http-litespeed-sourcecode-download {vuln,intrusive,exploit}
|   http-majordomo2-dir-traversal {intrusive,vuln,exploit}
|   http-malware-host {malware,safe}
|   http-method-tamper {safe,auth}
|   http-methods {default,safe}
|   http-passwd {intrusive,vuln}
|   http-php-version {discovery,safe}
|   http-put {discovery,intrusive}
|   http-robots.txt {default,discovery,safe}
|   http-trace {vuln,discovery,safe}
|   http-userdir-enum {auth,intrusive}
|   http-vhosts {discovery,intrusive}
|   http-vmware-path-vuln {vuln,safe}
|   http-vuln-cve2011-3192 {vuln,safe}
|   http-vuln-cve2011-3368 {intrusive,vuln}
|   http-waf-detect {discovery,intrusive}
|   http-wordpress-brute {intrusive,brute}
|   http-wordpress-enum {auth,intrusive,vuln}
|   http-wordpress-plugins {discovery,intrusive}
|   sql-injection {intrusive,vuln}
|_  unusual-port {safe}
554/tcp  closed rtsp       conn-refused
9929/tcp open   nping-echo syn-ack
| script-suggest:
|   banner {discovery,safe}
|   nping-brute {brute,intrusive}
|_  unusual-port {safe}

command.go.*.lua=/home/martin/tools/nmap2/nmap scanme.nmap.org
-p22,80,21,554,9929 --script http-title --script-suggest "intrusive or
vuln"-d -v -n

PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
80/tcp   open   http
|_http-title: Go ahead and ScanMe!
| script-suggest:
|   citrix-brute-xml {intrusive,auth}
|   http-awstatstotals-exec {vuln,intrusive,exploit}
|   http-axis2-dir-traversal {vuln,intrusive,exploit}
|   http-brute {intrusive,brute}
|   http-enum {discovery,intrusive,vuln}
|   http-form-brute {intrusive,brute}
|   http-iis-webdav-vuln {vuln,intrusive}
|   http-joomla-brute {intrusive,brute}
|   http-litespeed-sourcecode-download {vuln,intrusive,exploit}
|   http-majordomo2-dir-traversal {intrusive,vuln,exploit}
|   http-passwd {intrusive,vuln}
|   http-put {discovery,intrusive}
|   http-userdir-enum {auth,intrusive}
|   http-vhosts {discovery,intrusive}
|   http-vuln-cve2011-3368 {intrusive,vuln}
|   http-waf-detect {discovery,intrusive}
|   http-wordpress-brute {intrusive,brute}
|   http-wordpress-enum {auth,intrusive,vuln}
|   http-wordpress-plugins {discovery,intrusive}
|_  sql-injection {intrusive,vuln}
554/tcp  closed rtsp
9929/tcp open   nping-echo
| script-suggest:
|_  nping-brute {brute,intrusive}





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Attachment: svndiff.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Script suggestions, take #3 Martin Holst Swende (Feb 04)
- Re: Script suggestions, take #3 Patrick Donnelly (Feb 06)
  - Re: Script suggestions, take #3 Martin Holst Swende (Feb 07)
    - Re: Script suggestions, take #3 Patrick Donnelly (Feb 07)
    - Suggestion syntax (was:Script suggestions, take #3) Martin Holst Swende (Feb 09)
    - Re: Suggestion syntax (was:Script suggestions, take #3) David Fifield (Mar 14)