Re: NSE target library

[Toni Ruottu <toni.ruottu () iki fi>]

There is a bug that currently prevents this. Calling
nmap.set_port_state() does not work unles nmap already has some
opinion about the port.

On Thu, Dec 30, 2010 at 11:41 PM, Djalal Harouni <tixxdz () opendz org> wrote:
> On 2010-12-29 19:42:28 +0200, Toni Ruottu wrote:
> >   hello, people
> >
> > I have been doing some experiments with using the target library. I am
> > noticing a trend. Whenever I know the IP of a good target in a script
> > I usually also know a good candidate for the port that the scan should
> > target. For example I wanted to scan quake3 servers for their options,
> > and I figured I'd first query official master servers for actual
> > servers, and then scan the actual servers. The problem is that the
> > actual servers run on whatever high ports, so targeting the ip
> > addresses alone does not find them, and scanning lots of closed ports
> > also consumes lots of time as the servers use udp for communication.
> Perhaps adding ports dynamically during an Nmap scan can be achieved in
> a better manner (not like the add target feature):
>
> (This scan be done by NSE scripts)
> In the script which scans master servers you can push the discovered
> IPs into the Nmap scan queue and save them in the registry like this:
> nmap.registry.quake_slaves = {}
> nmap.registry.quake_slaves[slave_ip] = slave_port
> or
> nmap.registry.quake_slaves[slave_ip] = {}
> nmap.registry.quake_slaves[slave_ip][name] = slave_name
> nmap.registry.quake_slaves[slave_ip][port] = slave_port
> ...
> in other words like the port table.
>
> Pls note that we can also save multiple discovered ports here.
>
>
> In the script which scans slaves you can do this:
> hostrule = function(host)
>    if nmap_registry.quake_slaves[host.ip] then
>        return true
>    end
>    return false
> end
>
> action = function(host)
>    -- your actions, and after you test that the port is really open
>    -- you can set the port state and the version information on a port.
> end
>
>
> This way in your script for every discovered host you will *only* probe
> discovered ports for this host (you will not scan ports which belong to
> other hosts).
>
> > Another problem I noticed is that I can not run nmap without providing
> > a target. So when ever I use a script to populate the scan targets I
> > need to add something, say 127.0.0.1 as a starting target. Maybe there
> > should be a way to define an empty target set explicitly.
> Well, if your script is using a prerule/postrule then you can run Nmap
> without targets arguments, but the portrule/hostrule stuff needs
> targets. If you are doing some host discovery then perhaps you should
> consider using a prerule, take a look at Patrik's excellent scripts
> e.g: broadcast-dns-service-discovery.nse
>
> --
> tixxdz
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/