Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] Vulnerability lib article - bug fixes

From: Djalal Harouni <tixxdz () opendz org>
Date: Fri, 18 Jan 2013 01:31:33 +0100
Hi list,

There is this nice article written by iphelix which covers the 'vulns'
library plus some other Nmap and NSE tricks, check it your self:
http://www.thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/#vulnerability-management


In the same record iphelix reported a bug in the 'vulns' library, I'm
pasting the discussion with the patch. Thanks iphelix for the report.



On Thu, Jan 17, 2013 at 9:12 AM, Djalal Harouni <tixxdz () opendz org> wrote:
Hi iphelix,

Please see below


On Fri, Jan 11, 2013 at 01:42:43AM -0800, iphelix wrote:
Hi Djalal,

[...]

I have a quick question regarding the information available to
postrule_action function like this one:

    postrule_action = function()

      local list = vulns.find(FID, {})
      if list then
        local out = {}
        for _, vuln_table in ipairs(list) do

          local state = vulns.STATE_MSG[vuln_table.state]
          local ip = vuln_table.host.ip
          local port = vuln_table.port.number
          table.insert(out, string.format("%s - %d - %s", ip, port,

state))


        end
        return stdnse.format_output(true, out)
      end
    end

The above script will show IP:PORT:VULN_STATE for scanned hosts.
The issue (or a user error) that I ran into is the case where the
vulnerability is
present on multiple ports (e.g. ports 80 and 443). It looks like the
above script is only reporting on the first instance based on the port
output and does not store the second instance on a different port.

So thank you for all this explanation!



Let's say a vulnerability was found both on ports 80 and 443 So the
output would be:

Post-scan script results:
| vulns-post-process:
|   IP1 - 80 - VULNERABLE
|_  IP2 - 80 - VULNERABLE

and not

Post-scan script results:
| vulns-post-process:
|   IP1 - 80 - VULNERABLE
|   IP1 - 443 - VULNERABLE
|   IP2 - 80 - VULNERABLE
|_  IP2 - 443 - VULNERABLE

Is this expected based on the data structure inside nmap.registry?
Any thoughts on preserving port information?

Yes, we were just making the host vulnerable to that entry...
and you are right not just about port information, we also need
a new vulnerability information since it may differ between ports 80
and 443 ...


I've attached a patch, can you please try it, it should handle all the
variants, and we make a new entry for each
{host_ip/host_name:port_numer}



Thanks,
   -Peter

Thanks Peter



-- 
tixxdz
http://opendz.org

Attachment: nmap-nse-vulns.lua.patch
Description: 

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: