Nmap Development mailing list archives

Re: [RFC] smb-check-vulns port to nse vulns lib


From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 25 Jun 2015 07:51:31 -0500

Andrew,


A single script can have multiple vuln tables, and return them all in a
single report. However, I would not choose to do that for this script.

A few days ago, I added an enhancement request #171, "Split smb-check-vulns
into separate smb-vuln-msXX-XXX.nse scripts". This would allow users to
check for specific issues by name, not by "danger" or "safety" of the
check. We can use categories to control which checks are run: safe,
intrusive, and dos are relevant to this sort of check. For the Conficker
infection check, we can use the malware category, too.

Dan

On Thu, Jun 25, 2015 at 7:19 AM, Andrew Jason Farabee <afarabee () uci edu>
wrote:

I'm currently trying to finish up porting old vulnerability scripts to
the vulns library for issue 147
(https://github.com/nmap/nmap/issues/147), but I've run into some
issues porting smb-check-vulns.nse:

 * The script has 8 different states (which can also be "likely
[STATE]" or "not [STATE]") that aren't exactly represented by
vulns.STATE. For this I am thinking of treating (VULNERABLE, INFECTED,
INFECTED2) as VULN and (CLEAN, PATCHED, UNKNOWN, NOTRUN, NOTUP) as
NOT_VULN.

 * The vulns table can only handle one vulns.STATE for the entire
script (or some combination of the possible options VULN, NOT_VULN,
LIKELY_VULN, EXPLOIT, DoS).  My idea is to have vuln.state = VULN if
any check results in a state similar to VULN, vuln.state = LIKELY_VULN
if no check is equivalent to VULN with at least one check containing
"likely", and NOT_VULN if all checks are equivalent to NOT_VULN.

 * Since the multiple checks produce multiple results, this
information would have to be stored somewhere. For each of these
checks I was planning on using extra_info in the vuln table to store
what is currently being inserted into response (ex ""NO SERVICE", "the
Ras RPC service is inactive").  One issue with this is that the output
of skipped checks or NOT_VULN checks will be displayed when they
otherwise shouldn't be.  It is possible to overcome this by checking
that nmap.debugging() > 1 before inserting check results into the
vuln.extra_info table.

If all this sounds right I'm going to finish up using the methods
described above, but please stop me if I'm handling this wrong.

Thanks a lot!
Andrew
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread: