Nmap Development mailing list archives
Re: [RFC] Default NSE Scripts
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sat, 10 May 2008 17:02:06 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Jah, thanks for the detailed comments! jah wrote:
On 09/05/2008 23:17, Kris Katterjohn wrote:Instead of NSE running "safe" and "intrusive" scripts by default, I'm creating a "default" category for this purpose. This is important because there are some safe and intrusive scripts that you wouldn't want run by default (e.g. an obscure safe script or a slow intrusive script).Definitely a good idea, but your list for Default includes scripts that were never in Safe or Intrusive to begin with so I assume you're looking at any script for possible inclusion in the default category. (Also,
That's my plan. It shouldn't matter which category it is in as long as it is "good enough" to be in default (I'll try to discuss this in more detail below).
UPnP-info seems to have gone AWOL).
D'oh! Indeed it has. Sorry about that!
1) QuickHow to measure this? The only script I would call slow is bruteTelnet which is "Vulnerability".
I suppose I should've just said "not slow" rather than the even less precise "quick". Since this is all subjective, I would say that if a script takes a very noticeably longer time than other "quick" scripts then it probably shouldn't be in default, or if a script has a noticeable effect on the overall scan's time.
2) Generally UsefulI reckon this is pretty subjective and I'd argue that it depends on the purpose of a given scan and the environment of the target.
Well, by "generally useful" I mean that quite a bit of people will find it useful. It produces interesting output for a protocol/service that's not obscure so that it is /generally/ useful. Take SNMPsysdesr, for example. It won't run on /every/ scan, but when it does run it produces (what I think to be) interesting output. SNMP is an example of a protocol that a lot of people recognize and will be interested in.
3) Not too intrusiveHow to measure this? It could be "the likelihood of being logged" is a good measure, but that would be somewhat dependant on the target environment. Brute forcing is obviously very intrusive because it's likely to be logged and there's multiple events from the same source in a short space of time, but otherwise, what constitutes "too intrusive"?
I would say anything that can be perceived as truly unlawful, seen as a "real hacking attempt", does an excessive amount of probing, etc. Good examples are bruteTelnet and SQLInject. Unfortunately, these three are all subjective. Especially #2.
Default: * dns-test-open-recursion - Is this useful enough?This is sometimes very useful, but is recursion found often enough to warrant running what is, I think, an intrusive script?
Good question. I actually meant to ask "Is this useful often enough" because I don't know how frequent it is.
* fingerIsn't finger a bit obscure now?
It is, but I see finger running often enough that I think it's a good default (though it's not terribly popular either).
* HTTPAuth - Is this too intrusive?It is intrusive, but it's always been run by default in the past, so why not? But then again, it's not very often that it finds such weak security, so what's the point?
Well, it does print more information than just possible successful logins. One useful thing is that is tells that the server actually requires authentication, and also things like the authentication type.
* ripeQueryThis is a safe script with regard to the target, but RIPE might think it less so. Especially as it would query RIPE for every target regardless of whether the target is in RIPE's allocation. I think it should stay in discovery.
This is a script I kept switching between the lists. I think you may be right in that it's not be default material. Anybody else want to chime in on this one?
+ UPnP-info
I think so too.
Not Default: * HTTPpasswd - A bit too intrusive and probably not useful enoughI can't see that there's much difference between this and HTTPAuth in terms of usefulness and intrusiveness.
Again, HTTPAuth does print more than information obtained from intrusiveness.
* mswindowsShell - "backdoor"My vote is to ditch it too.
Done.
* SMTPcommands - I want this to be default, but it usually has a lot of outputThis is currently run by default and I don't think the quantity of output should be grounds for omission if it's perceived to be useful.
Good point, but I just don't think that a default script should produce a large amount of output like this one tends to. Does anyone have an opinion on this?
* SSLv2-support - Produces quite a bit of output, and doesn't seem useful enough for defaultI think this is quite useful and should remain default, but agree that the output is often more than required - perhaps it could be improved with nmap.verbosity().
I think that with an nmap.verbosity() change it may be good for default.
* zoneTrans - Just doesn't seem like default material IMOI think the argument for this is similar to the one for dns-test-open-recursion.
I don't know from experience, but looking at Wikipedia makes me think that it's not frequent enough.
Now in principle, I think it's a good idea to revisit the scripts that run by default, but perhaps some firm decision should be made about the level of intrusiveness permitted in a default scan, offset by the possible benefits. In order to do that, there'd have to be some method for measuring levels of intrusiveness. Not that I'm knocking the effort being made in this regard, not at all, but I think it's kind of skimming over a topic that probably needs looking at more deeply. I think a complete review of the Category system is due and I'd like to see some kind of Metrics system applied to scripts so that they can be selected based of degrees of intrusiveness and on degrees of usefulness. Usefulness is rather too subjective, so perhaps benefits should be measured in probabilities of revealing meaningful information. If we could construct a method whereby a user can select scripts based on degrees of a various attributes they might themselves be able to decide upon the usefulness of a script or how intrusive/fast/deep they're willing to be.
Interesting! :)
Best, jah
Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSCYbXP9K37xXYl36AQLfDQ/+KYFfywVF8ZpesQhQ80HZopQQ+0sWULaS nS74ynPf2Ltmbj7JsCHUN9eXqt3Zhf60XhM0djp/59M3qNF2Ygr4wFyWzb5mffcW dSCBcjscLb0A4+YsDKvaLrhiSU+kZcyuSU24MR93vIVNQLrIMh85W30wOLjGy+1v W53uAiyDmaKy2ARGsXCrZOm9lmBaBAKRePqrD5NQoqWwoKli5amiU5rhYG5FryOk sRIRJT/KVN3gd5M91r9qT1JBu5i3yC8JmbudZ6sKgpAI+KLr7NiXb9qrT7zx+8Mt FvehvrJ8kFejampdwbGVllxvzckBq3lDMKtqfqsp5HEbZhhbWwi4xK7zMWRX8P8m lDdtacECdNwqqYafYUwwFs97nUVetq7AnQbPc8UwL7xOfNiM9Kl9kCheah4rmTc8 BI8+xt6waLbuHxCSuVQO7w2PilUDmqaE/P4OfMNCZLYu3PDhlMtDEEwCA/8JzFSl MBVT/uVD0kOPMXA/K800w7RNulc0mO1qdEK62R6KjJycmZiitfKqQI+9ibfNrZ81 F7P9MJPmziLqzGd9IO8jfX5HXmFeHps+2kboKZ1bUSVutQ090LBHzg2e+5mne/XF R9XKtFe1aC4ZvcRHsoTn5NtRH2PirKwAmEo2bLysi0uSBzX9AhB9N9O4OoOTRYua w35hl0GgsEg= =Z2g9 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [RFC] Default NSE Scripts Kris Katterjohn (May 09)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Brandon Enright (May 09)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Brandon Enright (May 09)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
- Re: [RFC] Default NSE Scripts Fyodor (May 10)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
- Re: [RFC] Default NSE Scripts Daniel Roethlisberger (May 12)
- Re: [RFC] Default NSE Scripts Arturo 'Buanzo' Busleiman (May 12)
- Re: [RFC] Default NSE Scripts Fyodor (May 12)
- Re: [RFC] Default NSE Scripts Fyodor (May 12)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 12)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 12)
- Re: [RFC] Default NSE Scripts Kris Katterjohn (May 14)
- Re: [RFC] Default NSE Scripts jah (May 14)