Nmap Development mailing list archives
Re: [Patch] Intensity for NSE version scripts
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 29 Jul 2014 22:50:11 -0500
Jay, This patch (method 1) looks ok to commit for me. If I had to recommend any changes, I'd replace the lua_isnumber and lua_tointeger calls with a single lua_tointegerx call. I also think it would be cleaner to put the bounds checking for script_intensity inside the "if (is_script_intensity_set)" conditional. You'll also need to add some documentation for the nmap.version_intensity function in nselib/nmap.luadoc. Thanks again! Dan On Wed, Jul 16, 2014 at 7:08 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:
Hi All! I've been working on how to make NSE version scripts obey intensity (i.e. similar to --version-intensity used for normal Nmap service probes). Note: If the user specifies "script-intensity" in --script-args then that is used as intensity; otherwise, the value of --version-intensity is used. I've come up with 2 methods for this: Method 1: Using optional argument to shortport.version_port_or_service() The optional rarity variable defaults to 7 if unspecified. The script doesn't run when intensity < rarity. Method 2: Using rarity field This method involves adding a field (like author, license, dependencies etc.) to version scripts. This rarity field is an optional field that defaults to 7 if not specified. It does not let the script run if intensity < rarity. Both methods share a common function which give them a lot of flexibility. The function nmap.version_intensity() allows scripts to get the intensity without having to worry about whether it comes from script arg or from --version-intensity. Using this, complex rules can be designed which allow the script to run differently at different intensities. As for the benefits of each method: Method 1 is better since it involves no additional fields, but just a simple optional argument added. However, we need to ensure that all version scripts (when we take version script submissions) either use shortport.version_port_or_service() or have some test with nmap.version_intensity() in their portrule. In fact, we also need to modify the currently existing version scripts (i.e. just apply the attached version_script_mods.patch). Method 2 involves addition of the (optional) field but is better since we don't have to manually make sure that all version scripts have nmap.version_intensity() or shortport.version_port_or_service() in them. However, for complex portrules (i.e. those involving different tests at different intensities), we need to make sure that the rarity field is set to the lowest value among all intensities tested with (the example should make this clear). Both methods provide the same amount of flexibility to the script author since he/she could write something like: ``` -- Method 1 portrule = function(host, port) return ( ( (port.number == 80 and nmap.version_intensity() >= 3) or ((port.service == nil or port.service == "" or port.service == "unknown") and nmap.version_intensity() >= 8) ) and port.protocol == "tcp" and port.state == "open" and not(shortport.port_is_excluded(port.number,port.protocol)) end -- Method 2 portrule = function(host, port) return ( ( (port.number == 80 and nmap.version_intensity() >= 3) or ((port.service == nil or port.service == "" or port.service == "unknown") and nmap.version_intensity() >= 8) ) and port.protocol == "tcp" and port.state == "open" and not(shortport.port_is_excluded(port.number,port.protocol)) end rarity = 3 -- since 3 is the lowest among the two intensities (3 and 8 are tested) -- Method 2 Alternative (Shorter than above, but means the same) portrule = function(host, port) return ( ( port.number == 80 or ((port.service == nil or port.service == "" or port.service == "unknown") and nmap.version_intensity() >= 8) ) and port.protocol == "tcp" and port.state == "open" and not(shortport.port_is_excluded(port.number,port.protocol)) end rarity = 3 ``` I was unsure of which might be better even after discussing with my mentor. At one point of time, I was convinced that method 2 was good (and I coded it in), but on discussion with Dan and a lot of thinking, method 1 seemed to be good (and I thus coded that in). Currently, I find both to be flexible, as well as easy to use, and am unable to decide upon the best of the two; and hence am attaching both. Would love some feedback on this :) Cheers, Jay _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Patch] Intensity for NSE version scripts Jay Bosamiya (Jul 16)
- Re: [Patch] Intensity for NSE version scripts Patrick Donnelly (Jul 16)
- Re: [Patch] Intensity for NSE version scripts Daniel Miller (Jul 29)