Re: adding info for scripts not abel to run/etc?

[Daniel Miller <bonsaiviking () gmail com>]

Mike,

This is an interesting idea. With a little development, I think it could be
a useful feature. There are several points at which the script selection
changes, which may warrant additional output.

First, scripts are loaded based on the combination of -sC, -sV, and
--script <expression> that the user passes to Nmap. This is the number that
is reported in Nmap's verbose output as "NSE: Loaded 108 scripts for
scanning." This is the upper limit of all possible scripts that might run.

Next, different scripts run in different phases based on the rule function
[1]. So when Nmap outputs "NSE: Script Pre-scanning.", any selected scripts
that have a "prerule" will have that rule tested. If a phase is not
executed (for instance, if no hosts are up then the script scanning phase
for hostrule and portrule scripts will not happen) then some scripts may be
bypassed here. One output option would be to print the result of each
script's rule function, though that will happen for every open port on
every host in the most common case of a portrule script. Usually, if a
script's rule fails because of user error (insufficient privileges, missing
script-args, etc) then the rule function will print output to the verbose
output stream (not a script result).

Next, any scripts whose rule function returns true will have their action
function called. At debug level 1, Nmap outputs a statement for every
script that reaches this phase: "NSE: Starting address-info against
scanme.nmap.org (45.33.32.156)." If this function returns nil, there will
be no script output. Some scripts choose to return an error string as
output at higher verbose levels, but this is non-ideal: mixing results with
errors.

I think that rather than the engine itself printing info about which
scripts run (which it already does to a certain extent) a more useful
feature would be some sort of structured error that could be returned when
the script determines no useful output can be produced.

Dan

[1] https://nmap.org/book/nse-tutorial.html#the-rule

On Wed, Dec 23, 2015 at 8:56 AM, Mike . <dmciscobgp () hotmail com> wrote:

> hello and happy holidays first off!
>
>
> so maybe this is confusing but hear me out. when i run a set of scripts,
> lets take snmp protocol, for example. if i run "script=snmp* and not brute"
> , i think that loads 11 scripts. going off memory here. so when i find a
> target, i run those scripts and i might get 3 back, maybe 4, that ran
> successfully with output. usually INFO, HH3?, maybe 1 other. my point is,
> for whatever reason, whether it be a protocol version issue or
> non-authentication, etc...you get no indication the other scripts were ran,
> unless you did a packet/script trace (even then the output is raw and you
> wouldn't understand it) am i missing something i am not aware of as to how
> we can show what scripts were ran and what were not and a reason why? maybe
> i am the only one that thinks this should be included and if that is the
> case, i digress
>
>
> thanks
>
> Mike
>
>
> * example: " 11 scripts loaded. 3 ran successfully, 8 did not due to no
> returned data,etc
>
>
> something like that
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/