Nmap Development mailing list archives
Re: [NSE] Script Dependencies Replacement for Runlevels
From: Ron <ron () skullsecurity net>
Date: Fri, 13 Nov 2009 17:58:58 -0600
Patrick Donnelly wrote:
Right now scripts are required to assign a runlevel for their scripts to enforce an ordered execution of a group of scripts during an NSE scan. As an example, smb-brute.nse uses a runlevel of 0.5 so it runs before other smb-* scripts. This allows the other smb-* scripts to utilize the results from the smb-brute.nse script. Unfortunately, it can be difficult to identify the dependencies between these scripts (specified loosely via runlevels) and impossible to enforce a dependency (since scripts are not aware of what other scripts are running). Enforcing a dependency means that we do not run our script if we are missing a dependency (or, we abort scanning altogether because a dependency is missing). I have created a patch to NSE that replaces runlevels with a table of dependencies that clearly outlines what other scripts the script depends on. The table is of the form: dependences = {"script1", script2", ...} Runlevels become an internal representation of the order of scripts that are generated by the dependencies. If a dependency is not present in the current group of scripts then an error will be raised noting the missing dependency. Alternatively, you can use the new command line option --script-autoadd to automatically add dependencies to the current group of scripts (this can potentially add dangerous scripts and therefore is not the default). We also have weak dependencies that specify scripts that the script should run after but are not required for its execution. Its form is the same as the dependencies table above. The user will still see what the current runlevel is during the scan. Additionally, they will now be aware of the number of runlevels: NSE: Script scanning 127.0.0.1. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 17:38 Completed NSE at 17:38, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 17:38 Completed NSE at 17:38, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 17:38 Completed NSE at 17:38, 0.00s elapsed NSE: Script Scanning completed. Another non-obvious benefit to explicit dependencies is we no longer have scripts running in their own runlevel needlessly (reducing our overall parallelism). Before, smb-brute would run by itself in runlevel 0.5 when it could run alongside other unrelated scripts. With respect to backwards compatibility, there is none. We ignore any runlevel specification in the script. Explicit dependencies would be required.
We talked about wildcard dependencies somewhere in this thread, and how there wasn't much of a case for using them, but I thought of something. smb-security-mode.nse prints out the user that was performing all the tests. To get a good reading, it should run after at least one script. Therefore, smb-security-mode.nse sort of has a weak dependency on smb-*. So there's a use case for it. Right now, I'm solving it with "runlevel = 1.01", but that's hacky. -- Ron Bowes http://www.skullsecurity.org/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Script Dependencies Replacement for Runlevels, (continued)
- Re: [NSE] Script Dependencies Replacement for Runlevels Ron (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels David Fifield (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Ron (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Fyodor (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Fyodor (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Ron (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Ron (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Patrick Donnelly (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Ron (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Fyodor (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Patrick Donnelly (Nov 12)
- Re: [NSE] Script Dependencies Replacement for Runlevels David Fifield (Nov 13)
- Re: [NSE] Script Dependencies Replacement for Runlevels Fyodor (Nov 13)
- Re: Requests for script dependencies Patrick Donnelly (Dec 27)
- Re: Requests for script dependencies David Fifield (Dec 27)
- Re: Requests for script dependencies Patrick Donnelly (Dec 28)
- Re: Requests for script dependencies Ron (Dec 28)