Re: Full nmap command line injection in output files

[Daniel Miller <bonsaiviking () gmail com>]

Olivier,

This is a good suggestion, but there is a workaround for the specific case
you mentioned: NSE script arguments can be provided in a separate file with
the --script-args-file option. This was added in Nmap 5.61TEST5 (March
2012) for keeping credentials off the command line.

We are not likely to implement an extra option to remove this information
from the output, since Nmap already has a great number of options and
editing the file is a good enough solution for many people. I suggest that
you update to the latest version of Nmap and use the --script-args-file
option. Thanks for your suggestion, and happy hacking!

Dan

On Fri, Jan 2, 2015 at 5:23 AM, Olivier Hupond <Olivier.Hupond () agessi fr>
wrote:

> Hi,
>
>
>
> Using nmap (5.21) to make automatic scans to identify network changes, I
> would like to mask/remove the injection of the full nmap command line in
> any output files generated.
>
>
>
> As the command might use logons informations (in nse scripts args), it is
> not secure to do so, almost if files are computed by other programs or
> scripts (or users…).
>
>
>
> I made some search but couldn’t find any thread about this. I think it’s
> not possible, and It maight be a good evolution for further verions.
>
>
>
> Best regards,
>
>
>
> ---
>
> Olivier Hupond
>
> AGESSI - Administration et Gestion des Systèmes d'Information
>
> Technopôle Brest Iroise / 65 place Nicolas COPERNIC / 29280 PLOUZANÉ Tél
> : +33 (0)2 98 05 10 00 - Fax +33 (0)2 98 05 12 13 - www.agessi.fr
>
>
>
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/