Nmap Development mailing list archives
Re: [RFC] smb-check-vulns port to nse vulns lib
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 25 Jun 2015 07:51:31 -0500
Andrew, A single script can have multiple vuln tables, and return them all in a single report. However, I would not choose to do that for this script. A few days ago, I added an enhancement request #171, "Split smb-check-vulns into separate smb-vuln-msXX-XXX.nse scripts". This would allow users to check for specific issues by name, not by "danger" or "safety" of the check. We can use categories to control which checks are run: safe, intrusive, and dos are relevant to this sort of check. For the Conficker infection check, we can use the malware category, too. Dan On Thu, Jun 25, 2015 at 7:19 AM, Andrew Jason Farabee <afarabee () uci edu> wrote:
I'm currently trying to finish up porting old vulnerability scripts to the vulns library for issue 147 (https://github.com/nmap/nmap/issues/147), but I've run into some issues porting smb-check-vulns.nse: * The script has 8 different states (which can also be "likely [STATE]" or "not [STATE]") that aren't exactly represented by vulns.STATE. For this I am thinking of treating (VULNERABLE, INFECTED, INFECTED2) as VULN and (CLEAN, PATCHED, UNKNOWN, NOTRUN, NOTUP) as NOT_VULN. * The vulns table can only handle one vulns.STATE for the entire script (or some combination of the possible options VULN, NOT_VULN, LIKELY_VULN, EXPLOIT, DoS). My idea is to have vuln.state = VULN if any check results in a state similar to VULN, vuln.state = LIKELY_VULN if no check is equivalent to VULN with at least one check containing "likely", and NOT_VULN if all checks are equivalent to NOT_VULN. * Since the multiple checks produce multiple results, this information would have to be stored somewhere. For each of these checks I was planning on using extra_info in the vuln table to store what is currently being inserted into response (ex ""NO SERVICE", "the Ras RPC service is inactive"). One issue with this is that the output of skipped checks or NOT_VULN checks will be displayed when they otherwise shouldn't be. It is possible to overcome this by checking that nmap.debugging() > 1 before inserting check results into the vuln.extra_info table. If all this sounds right I'm going to finish up using the methods described above, but please stop me if I'm handling this wrong. Thanks a lot! Andrew _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC] smb-check-vulns port to nse vulns lib Andrew Jason Farabee (Jun 25)
- Re: [RFC] smb-check-vulns port to nse vulns lib Daniel Miller (Jun 25)
- Re: [RFC] smb-check-vulns port to nse vulns lib Jacek Wielemborek (Jun 25)
- Re: [RFC] smb-check-vulns port to nse vulns lib Daniel Miller (Jun 25)
- Re: [RFC] smb-check-vulns port to nse vulns lib Jacek Wielemborek (Jun 25)
- Re: [RFC] smb-check-vulns port to nse vulns lib Daniel Miller (Jun 25)