Re: [RFC] Default NSE Scripts

[Fyodor <fyodor () insecure org>]

On Fri, May 09, 2008 at 05:17:44PM -0500, Kris Katterjohn wrote:
> * SSLv2-support - Produces quite a bit of output, and doesn't seem
> useful enough for default

I decided to take a look at an example:

#nmap -PN --script SSLv2-support.nse amazon.com

Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-12 12:41 PDT
Warning: Hostname amazon.com resolves to 3 IPs. Using 72.21.206.5.
Interesting ports on 206-5.amazon.com (72.21.206.5):
Not shown: 1713 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
|  SSLv2: server still supports SSLv2
|       SSL2_DES_192_EDE3_CBC_WITH_MD5
|       SSL2_IDEA_128_CBC_WITH_MD5
|       SSL2_RC2_CBC_128_CBC_WITH_MD5
|       SSL2_RC4_128_WITH_MD5
|       SSL2_RC4_64_WITH_MD5
|       SSL2_DES_64_CBC_WITH_MD5
|       SSL2_RC2_CBC_128_CBC_WITH_MD5
|_      SSL2_RC4_128_EXPORT40_WITH_MD5

Nmap done: 1 IP address (1 host up) scanned in 19.527 seconds


While the first line ("SSLv2: server still supports SSLv2") looks
useful and reasonable, I'm not sure the rest clears the bar for data
which should be printed by default.  Every Nmap output line is
precious, because if we flood people with low-value/debugging
information, they may miss something important.

Does anyone have concrete reasons why it is important to enumerate the
full list of supported SSL2 ciphers?  If not, I suggest that we change
the script to only print those in debugging mode or when verbosity
level is at least 2.  With that change, I think it is reasonable to
keep the script default.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org