Re: Concerning Auxiliary Scripts

[David Fifield <david () bamsoftware com>]

On Tue, Apr 27, 2010 at 08:29:01AM -0400, Patrick Donnelly wrote:
> > From docs/TODO:
>
> o [NSE] Maybe we should create a class of scripts which only run one
>   time per scan, similar to auxiliary modules in Metasploit. We
>   already have script classes which run once per port and once per
>   host. For example, the once-per-scan ("network script"?) class might
>   be useful for broadcast LAN scripts (Ron Bowes, who suggested this
>   (http://seclists.org/nmap-dev/2010/q1/883) offered to write a
>   NetBIOS and DHCP broadcast script). Another idea would be an AS to
>   IP ranges script, as discussed in this thread
>   http://seclists.org/nmap-dev/2010/q2/101 [Could be a good SoC
>   infrastructure project]
>   o David notes: "I regret saying this before I say it, because I'm
>     imagining implementation difficulties, we should think about
>     having such auxiliary scripts be able to do things like host
>     discovery, and then let the following phases work on the list it
>     discovers."
>
> I'm thinking this should be a new scan type. Unless I'm mistaken, Nmap
> has never added hosts to the scan that weren't explicitly enumerated
> in some way on the command line. It would be appropriate for the user
> to give Nmap "permission" to find hosts and then do further scanning
> as if those hosts were given on the command line. Thoughts?
>
> As far as NSE is concerned, just like Version Detection runs the
> script engine with a "special" category ("version"), our new scan type
> would also run NSE. We can assign some arbitrary category to these
> "auxiliary" scripts. When NSE is in this host exploration/discovery
> mode, it doesn't bother with running hostrule/portrules and only runs
> scripts in that "auxiliary" category. Or for generality's sake, we can
> just have a single "fabricated" host for this scan type and all
> auxiliary scripts have a hostrule that always* returns true.

There are two things going on in the TODO above, as I understand it. The
first is a third type of script to go along with hostrule and portrule,
call it auxrule. (I think using a new rule type is better than making a
category for these scripts, because it fits in with the pattern:
portrule runs once per port, hostrule runs once per host, and auxrule
runs once per script scan.) The auxrule scripts aren't necessarily
related to host discovery. Like, I can imagine an auxrule script that
wants to run after all other scripts during normal script scanning, one
that collects in one table all the username/password credentials found
by the other scripts.

The second thing in the TODO is the possibility of starting up and
tearing down the script engine more than once during a scan, in
different "modes." This is the particular implementation difficulty I
was thinking of. So you might start up NSE in "host discovery mode" just
before or after normal host discovery, and then start it up again after
port scanning for normal script scanning. Host discovery scripts would
have to be marked somehow as being both auxrule scripts (because they
don't run against a particular host or port) and also that they want to
run in "host discovery mode" (this could be a category). Potentially we
would want NSE analogs for other phases besides host discovery, but I
didn't have any in mind.

I think the first issue, auxrule scripts, is probably pretty easy and
can be done independently from the host discovery idea. The second issue
is not necessarily difficult, but needs some discussion on how exactly
it will work.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/