Re: [NSE] Presentation and Vulscan Framework

[David Fifield <david () bamsoftware com>]

On Fri, Nov 19, 2010 at 10:17:45AM +0100, Marc Ruef wrote:
> Hello,
>
> A few weeks ago I was a speaker at Hashdays, a security conference
> in Switzerland[1]. My talk had the title "Nmap NSE Hacking for IT
> Security Professionals". After a short introduction to Nmap/NSE I
> have shown the enhancements we have made to improve our security
> scanning and penetration testing. We wrote additional NSE scripts
> for data gathering and parse the results in a database (more an
> expert system) for further moderation[2].
>
> The slides (English) and a _very small_ glimpse of our framework
> have been published on our companies labs site:
>
>    http://www.scip.ch/?labs.20101119
>
> We are providing a set of top 10 scripts for web server analysis.
> The xml output can be parsed with a Ruby script to generate a csv
> file. This file can be imported into a spreadsheet or database. See
> the blog post and slides for further details.
>
> Perhaps one or another is interested in this line of work. We would
> appreciate feedback of course.

This is interesting:

80/tcp open  http    Apache httpd
| web_server_identification: sID{1},
| sAccuracy{80},
| sTesttype{Exploiting},
| sTestsource{Application Mapping},
| sVersion{1.0-hd10},
| sOutput{Header:
|
|   Date: Thu, 18 Nov 2010 10:24:03 GMT
|   Server: Apache
|   Vary: Accept-Encoding
|   Content-Length: 6749
|   Connection: close
|   Content-Type: text/html
|
| },
| sDescription{The target service is a web server which is using the application protocol http to communicate. An 
attacker might approach this service to enumerate or compromise the target host.},
|_sTimestamp{1290075843};
| web_server_banner_grabbing: sID{2},
| sAccuracy{80},
| sTesttype{Scanning},
| sTestsource{HTTP-Banner (Server Line)},
| sVersion{1.0-hd10},
| sOutput{Apache},
| sDescription{The web server is announcing himself with a welcome banner in the Server line of the http header. An 
attacker might use this information to initiiate target-oriented attacks.},
|_sTimestamp{1290075843};

Feld            Beschreibung
sId             Eindeutige Identifikationsnummer des NSE-Skripts
sAccuracy       Genauigkeit der Analyse in Prozent
sTesttype       Typ des Tests (Derivative, Portscan, Scanning, ...)
sTestsource     Quelle der Daten (in diesem Fall immer Nmap)
sVersion        Versionsnummer des NSE-Skripts
sOutput         Ausgabe des Testzugriffs (z.B. gefundener Banner)
sDescription    Kurze Beschreibung des Problems
sTimestamp      Unix-Timestamp bei erfolgreicher Identifikation

I know we keep talking about making NSE output more structured. I know
you set up these scripts for database import, but these might be the
kind of structured fields we add. (They could possibly be hidden by
default or only shown in the XML.)

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/