Nmap Development mailing list archives
[NSE] Script Pre-scanning and Post-scanning example
From: Djalal Harouni <tixxdz () gmail com>
Date: Fri, 6 Aug 2010 18:18:02 +0100
Hi list, I've merged the Script Pre-scanning and Post-scanning phases to Nmap trunk. I hope that we'll see lot of scripts that make use of them. As you know we have introduced new rules "prerule" and "postrule" the documentation is comming and will be merged soon, in the mean while if you want to play with this you can update or checkout. The dns-zone-transfer script has already been updated to use a "prerule". Code merged as svn r19515 and r19516. The new Script Scan phases: --------------------------- * Script Pre-scanning: before any Nmap scan. To activate scripts during this phase you must use the "prerule". * Script scanning: after Nmap hosts group scan. To activate scripts during this phase you must use the classic rules "portrule" and "hostrule". * Script Post-scanning: after all Nmap scans. To activate scripts during this phase you must use the "postrule". dns-zone-transfer script example: --------------------------------- To be able to run the script in the Script Pre-scanning phase (with the prerule) you must specify the necessary arguments. For dns-zone-transfer.nse script this argument is 'dnszonetransfer.server', this is our target. When the script is running in the Script scanning phase (portrule or hostrule) then this server target is provided by Nmap (part of the Nmap discovered hosts), so the 'dnszonetransfer.server' argument is ignored in this case and the target is provided by the classic host table. Script code: ------------ prerule = function() return true end portrule = shortport.portnumber(53, 'tcp') ... ... action = function(host, port) ... ... if args.dnszonetransfer and args.dnszonetransfer.domain then domain = args.dnszonetransfer.domain elseif args['dnszonetransfer.domain'] then domain = args['dnszonetransfer.domain'] elseif args.domain then domain = args.domain end -- script running at the Script Pre-scanning phase. if SCRIPT_TYPE == "prerule" then if not domain then stdnse.print_debug(3, "Skipping '%s' %s, 'dnszonetransfer.domain' argument is missing.", SCRIPT_NAME, SCRIPT_TYPE) return end if args['dnszonetransfer.server'] then dns_server = args['dnszonetransfer.server'] else stdnse.print_debug(3, "Skipping '%s' %s, 'dnszonetransfer.server' argument is missing.", SCRIPT_NAME, SCRIPT_TYPE) return end if args['dnszonetransfer.port'] then dns_port = args['dnszonetransfer.port'] else dns_port = 53 end -- script running at the Script Scan phase. elseif SCRIPT_TYPE == "portrule" then if not domain then if host.targetname then domain = host.targetname elseif host.name ~= "" then domain = host.name else -- can't do anything without a hostname return stdnse.format_output(false, string.format("'%s' script needs a dnszonetransfer.domain argument.", SCRIPT_TYPE)) end end dns_server = host.ip dns_port = port.number end soc = nmap.new_socket() soc:set_timeout(4000) try(soc:connect(dns_server, dns_port)) ... ... end Some Documentation: ------------------- * The script can run now at different phases, this will let us to share code between tasks. * To check the rule type that activated the script, use the new SCRIPT_TYPE environment variable. if SCRIPT_TYPE == "prerule" then -- Script Pre-scanning phase elseif SCRIPT_TYPE == "hostrule" or SCRIPT_TYPE == "portrule" then -- Classic Script scanning phase elseif SCRIPT_TYPE == "postrule" then -- Script Post-scanning phase end * The script will run at the Pre-scanning phase only if all the necessary script arguments are available. If these arguments are missing then the script should print a debug message at level 3 (current standard) and return. In general on errors print a debug message and call return without any value. e.g: if args['dnszonetransfer.server'] then dns_server = args['dnszonetransfer.server'] else stdnse.print_debug(3, "Skipping '%s' %s, 'dnszonetransfer.server' argument is missing.", SCRIPT_NAME, SCRIPT_TYPE) return end More documentation will be merged soon, thx. Script output: -------------- 1) At the Script Pre-scanning phase (prerule): ***** Without the necessary argument 'dnszonetransfer.server' ****** (Note: debug is level 3 to show why the script was skipped). $ ./nmap -d3 --datadir . --script scripts/dns-zone-transfer.nse \ --script-args="dnszonetransfer.domain=ualberta.ca" ... NSE: Script ./scripts/dns-zone-transfer.nse was selected by name. NSE: Loaded 1 scripts for scanning. NSE: Loaded 'dns-zone-transfer.nse'. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 22:35 NSE: NSE Script Threads (1) running: NSE: Starting 'dns-zone-transfer' (thread: 0x8dc5d18). NSE: Skipping 'dns-zone-transfer' prerule, 'dnszonetransfer.server' argument is missing. NSE: Finished 'dns-zone-transfer' (thread: 0x8dc5d18). ... ***** With the necessary argument 'dnszonetransfer.server' ****** (Note: we can run Nmap without targets) $ ./nmap -d1 --datadir . --script scripts/dns-zone-transfer.nse \ --script-args="dnszonetransfer.server=MENAIK.CS.ualberta.ca,dnszonetransfer.domain=ualberta.ca" ... NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 22:43 NSE: NSE Script Threads (1) running: NSE: Starting dns-zone-transfer. NSE: Finished dns-zone-transfer. Completed NSE at 22:44, 12.47s elapsed Pre-scan script results: | dns-zone-transfer: | ualberta.ca SOA NOM.ualberta.ca dnsmaster.ualberta.ca | ualberta.ca NS NOM.ualberta.ca | ualberta.ca NS NAME.ualberta.ca | ualberta.ca NS MENAIK.CS.ualberta.ca | ualberta.ca A 129.128.98.86 | ualberta.ca MX ***.srv.ualberta.ca | ualberta.ca MX ***.srv.ualberta.ca | ualberta.ca MX ***-3.srv.ualberta.ca | www.100years.ualberta.ca CNAME | _msdcs.ualberta.ca NS NAME.ualberta.ca | _msdcs.ualberta.ca NS NOM.ualberta.ca | _sites.ualberta.ca NS NAME.ualberta.ca | _sites.ualberta.ca NS NOM.ualberta.ca | aahepp.ualberta.ca NS MENAIK.CS.ualberta.ca | aasua.ualberta.ca NS NAME.ualberta.ca ... ... |_ualberta.ca SOA NOM.ualberta.ca dnsmaster.ualberta.ca NSE: Script Post-scanning. Read from .: nmap-services. WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 12.96 seconds 2) At the Script scanning phase (portrule): $ ./nmap -d1 -PN -sT -p53 --datadir . --script scripts/dns-zone-transfer.nse \ --script-args="dnszonetransfer.domain=ualberta.ca" MENAIK.CS.ualberta.ca ... NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 19:01 NSE: NSE Script Threads (1) running: NSE: Starting dns-zone-transfer. NSE: Finished dns-zone-transfer. Completed NSE at 19:01, 0.00s elapsed mass_rdns: Using DNS server 10.0.2.3 Initiating Parallel DNS resolution of 1 host. at 19:01 mass_rdns: 0.24s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 19:01, 0.23s elapsed DNS resolution of 1 IPs took 0.24s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 19:01 Scanning MENAIK.CS.ualberta.ca (129.128.4.241) [1 port] scovered open port 53/tcp on 129.128.4.241 Completed Connect Scan at 19:01, 0.32s elapsed (1 total ports) Overall sending rates: 3.11 packets / s. NSE: Script scanning 129.128.4.241. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 19:01 NSE: NSE Script Threads (1) running: NSE: Starting dns-zone-transfer against 129.128.4.241:53. NSE: Finished dns-zone-transfer against 129.128.4.241:53. Completed NSE at 19:01, 9.90s elapsed Nmap scan report for MENAIK.CS.ualberta.ca (129.128.4.241) Host is up, received user-set (0.32s latency). rDNS record for 129.128.4.241: menaik.cs.ualberta.ca PORT STATE SERVICE REASON 53/tcp open domain syn-ack | dns-zone-transfer: | ualberta.ca SOA NOM.ualberta.ca dnsmaster.ualberta.ca | ualberta.ca NS NOM.ualberta.ca | ualberta.ca NS NAME.ualberta.ca | ualberta.ca NS MENAIK.CS.ualberta.ca | ualberta.ca A 129.128.98.86 ... ... |_ualberta.ca SOA NOM.ualberta.ca dnsmaster.ualberta.ca Final times for host: srtt: 321000 rttvar: 321000 to: 1605000 NSE: Script Post-scanning. Read from .: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 11.96 seconds This new feature will make it easy for people that want to code network tools or scripts (Lua language) by using the "prerule". Taking advantage of the API provided by Nmap and NSE (low level network operations are done by Nsock library C/C++). Thx. -- tixxdz _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Script Pre-scanning and Post-scanning example Djalal Harouni (Aug 06)
- Re: [NSE] Script Pre-scanning and Post-scanning example Kris Katterjohn (Aug 10)
- Re: [NSE] Script Pre-scanning and Post-scanning example Patrick Donnelly (Aug 10)
- Re: [NSE] Script Pre-scanning and Post-scanning example Kris Katterjohn (Aug 10)
- Re: [NSE] Script Pre-scanning and Post-scanning example Djalal Harouni (Aug 11)
- Re: [NSE] Script Pre-scanning and Post-scanning example Kris Katterjohn (Aug 11)
- Re: [NSE] Script Pre-scanning and Post-scanning example Kris Katterjohn (Sep 09)
- Re: [NSE] Script Pre-scanning and Post-scanning example David Fifield (Sep 27)
- Re: [NSE] Script Pre-scanning and Post-scanning example Kris Katterjohn (Sep 27)
- Re: [NSE] Script Pre-scanning and Post-scanning example Patrick Donnelly (Aug 10)
- Re: [NSE] Script Pre-scanning and Post-scanning example Kris Katterjohn (Aug 10)
- Re: [NSE] resolveall prerule, nmap.resolve(), nmap.address_family() Djalal Harouni (Aug 11)