Nmap Development mailing list archives
[NSE] Prerule considerations and concerns
From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 16 Oct 2010 10:32:09 -0500
All,I have some concerns about some of the prerule (and possibly postrule) scripts. To explain
my concerns let me outline my process.In my scenario I have a list of hosts and code that launches a nmap instance to scan each. The scan configuration may vary, depending on which script is invoked. The results for each host are being generated in each of nmap's output types and placed in a directory.
Using the SVN build of nmap, when I run scans the prerule scripts are triggering and broadcasting requests to the local network. These results are included in the output for each of my hosts. For production purposes I may scan 4k hosts at a time. In many of my runs I am scanning 100k hosts at a time. In some of the Internet surveys I start out with a list of 1 million hosts.
For each scan that includes scripting several scripts will run and broadcast packets.
Sample command lines: Simple reproduction:nmap -sC (no host specified)
Standard command line:nmap -sSUV -A --script "(default or safe) and not qscan" -O -pT:-,U:53,69,137,161,523,1434,1900,2065,2067 --version-all --open --excludefile ./lists/excludes_full.txt -R --webxml -oA ./logs/$1 $1 > ./logs/$1.txt 2> ./logs/$1.err
Here are my concerns with the current behavior:1. In most cases the results have no relevance to my target. The current scripts broadcast looking for certain data, and that functionality is handy as hell, but it doesn't have any
bearing on my target 4 hops away.2. The broadcasts are taking time and using bandwidth when the result is not needed.
3. The results are confusing the output result and taking up storage. In the case of fathom searches of the XML I will have to avoid searching for data in them as it will greatly
skew the results.4. The rainmap project will have to keep the scripts in mind as they will expose data about the hosts on the subnet of the scanning host to a 3rd party requesting the scan.
Current scripts with a prerule: db2-discover.nse dhcp-discover.nse dns-service-discovery.nse dns-zone-transfer.nse: ms-sql-info.nse resolveall.nse snmp-interfaces.nse upnp-info.nse Is there currently a way to disable the prerule behavior of NSE scripts?If there isn't currently a way, can we add functionality to disable the prerule ( and possibly postrule) scans without disabling the whole script? The ms-sql-info.nse script is an example of where the prerule section is not useful in this scenario, but the normal behavior of the
script is desired.Perhaps command line switch could be used to set a flag that the scripts would evaluate in
the prerule section:; prerule = function() if stdnse.allow_prerule then return true else return false end I look forward to your thoughts and comments. Thanks much, Tom _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Prerule considerations and concerns Tom Sellers (Oct 16)
- Re: [NSE] Prerule considerations and concerns Fyodor (Oct 16)
- Re: [NSE] Prerule considerations and concerns Patrik Karlsson (Oct 16)
- Re: [NSE] Prerule considerations and concerns David Fifield (Oct 18)
- Re: [NSE] Prerule considerations and concerns Patrik Karlsson (Oct 18)
- Re: [NSE] Prerule considerations and concerns Djalal Harouni (Oct 21)
- Re: [NSE] Prerule considerations and concerns Djalal Harouni (Oct 21)
- Re: [NSE] Prerule considerations and concerns Fyodor (Oct 16)
- Re: [NSE] Prerule considerations and concerns Djalal Harouni (Oct 21)
- Re: [NSE] Prerule considerations and concerns Fyodor (Oct 21)
- Re: [NSE] Prerule considerations and concerns Djalal Harouni (Oct 31)