Nmap Development mailing list archives
Re: Output|Input pipe and forcing script run
From: Martin Holst Swende <martin () swende se>
Date: Mon, 29 Nov 2010 00:02:04 +0100
Hi, On 10/03/2010 04:48 PM, David Fifield wrote:
On Wed, Sep 29, 2010 at 10:47:37AM +0200, Martin Holst Swende wrote:Also, a while ago there was a discussion about forcing a script to be run . That is a feature I would really love. Is anybody working on that? Fyodor suggested placing the patch in NSE, if that means in "lua-space" I could implement that if given some hints on where to place it.First you should try implementing this in the shortport library. Add a check to each of the functions for the script argument "force": local force = stdnse.get_script_args("force") Then try running some scripts with this to see how it works. I think there will be unexpected surprises when forcing scripts to run with the large number of ports Nmap scans by default. The next step is to make it apply to all scripts in nse_main.lua. Try editing the "main" function in Script:new_thread. That's where the rules are actually called and can be overridden. Keep us updated with patches and your progress. I am interested to see how this works.
A lot of other things have got in the way, but tonight I did a first stab at it. It was trivial to implement, and you can check it out at the usual place; at http://martin.swende.se/hgwebdir.cgi/nsescripts/rev/48ee0f905d68 (<-- NOT tip) you can see the diff from the original. With my patch you can do e.g. nmap www.google.com -p80 --script firewalk --script-args=force=1 -d3 Something more meaningful might be if you know that someone is running a service on an uncommon port, and you dont want to version-scan it just to run the script (perhaps because the version scan does not even find it). It can also be used to fuzz the scripts against wrong service types :) While I was fiddling with nse_main, I added another thing I have been missing. I often don't really know what scripts are possible to run for a particular service or port, and I don't always know what they do. So, I added another script argument: "help". For all the scripts that would have been run, it instead prints out info about the scripts. Like so: www.google.se -p80,443 -sC --script-args help <snip> NSE: ----------------------------------------- NSE: -- html-title.nse -- NSE: -- Categories: default,discovery,safe NSE: -- Shows the title of the default page of a web server. The script will follow no more than one HTTP redirect, and only if the redirection leads to the same host. The script may send a DNS query to determine whether the host the redirect leads to has the same IP address as the original target. NSE: ----------------------------------------- NSE: -- http-auth.nse -- NSE: -- Categories: default,auth,intrusive NSE: -- Retrieves the authentication scheme and realm of a web service that requires authentication. NSE: ----------------------------------------- NSE: -- http-favicon.nse -- NSE: -- Categories: default,discovery,safe NSE: -- Gets the favicon ("favorites icon") from a web page and matches it against a database of the icons of known web applications. If there is a match, the name of the application is printed; otherwise the MD5 hash of the icon data is printed. If the script argument <code>favicon.uri</code> is given, that relative URI is always used to find the favicon. Otherwise, first the page at the root of the web server is retrieved and parsed for a <code><link rel="icon"></code> element. If that fails, the icon is looked for in <code>/favicon.ico</code>. If a <code><link></code> favicon points to a different host or port, it is ignored. </snip> The example above uses default script. More interesting is perhaps show info about all scripts that can be used against a live host (or port/service): nmap www.scanme.org --script "*" --script-args help The above example will show nse documentation for each script that has been identified as runnable against a port or service which as been found on the target. A side-effect the two modificaitons can be combined to show documentation about all nse-scripts :) nmap scanme.org -p0 --script "*" --script-args help,force The force-stuff is at revision 51, and the help is at revision 52 on http://www.martin.swende.se/hg/nsescripts . Feedback appreciated! Regards, Martin Swende _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Output|Input pipe and forcing script run Daniel Miller (Oct 01)
- <Possible follow-ups>
- Re: Output|Input pipe and forcing script run David Fifield (Oct 03)
- Re: Output|Input pipe and forcing script run Martin Holst Swende (Nov 28)
- Re: Output|Input pipe and forcing script run Martin Holst Swende (Nov 30)
- Re: Output|Input pipe and forcing script run Martin Holst Swende (Nov 28)