Nmap Development mailing list archives

Re: "version" scripts running after successful version detection

From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 16 Jul 2012 20:17:26 -0500




-------- Original Message --------
Subject:        Re: "version" scripts running after successful version detection
Date:   Mon, 16 Jul 2012 20:15:54 -0500
From:   Paulino Calderon <paulino () calderonpale com>

To: David Fifield <david () bamsoftware com>, Nmap Dev<nmap-dev () insecure org>




On 16/07/2012 07:58 p.m., David Fifield wrote:

I notice that the script http-huawei-hg5xx-vuln is running for every -sV
scan that finds an HTTP port. It's adding things to HTTP logs that look
like this:

127.0.0.1 - - [16/Jul/2012:17:52:18 -0700] "GET /nmaplowercheck1342486338 HTTP/1.1" 404 0 "" "Mozilla/5.0 (compatible; Nmap 
Scripting Engine; http://nmap.org/book/nse.html)"
127.0.0.1 - - [16/Jul/2012:17:52:18 -0700] "GET /Listadeparametros.html HTTP/1.1" 404 0 "" "Mozilla/5.0 (compatible; Nmap 
Scripting Engine; http://nmap.org/book/nse.html)"

The script is running because it belongs to the "version" category. This
is happening even when normal version scan finds a match. I had thought
that NSE would not run "version" scripts for services that already have
a match, but that appears not to be the case. The sample script at
http://nmap.org/book/nse-vscan.html#nse-skypev2-script does this check
in the portrule; are all scripts supposed to check in this way?

In any event, it seems we shouldn't be running this script as often as
it is being run.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

What fix do you guys suggest? I added it to the "version" category
because it provided additional firmware and software version
information. A possible solution is to remove it from that category
until we find a better approach for version scripts of "known" services.

Cheers!

--
Paulino Calderón Pale
Website: http://calderonpale.com
Twitter: http://twitter.com/calderpwn




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

"version" scripts running after successful version detection David Fifield (Jul 16)
- Re: "version" scripts running after successful version detection Toni Ruottu (Jul 16)
- <Possible follow-ups>
- Re: "version" scripts running after successful version detection Paulino Calderon (Jul 16)
  - Re: "version" scripts running after successful version detection Daniel Miller (Jul 16)
    - Re: "version" scripts running after successful version detection David Fifield (Jul 17)
- Re: "version" scripts running after successful version detection Paulino Calderon (Jul 16)