Re: NSE console script help

[David Fifield <david () bamsoftware com>]

On Tue, Jan 18, 2011 at 06:24:32PM -0800, Fyodor wrote:
> On Tue, Jan 18, 2011 at 08:27:10PM +0100, Martin Holst Swende wrote:
> > If I use: "nmap foobar.com --script=all --script-args=help", lets
> > say nmap discovers the for me totally unknown service
> > "gazonk". Perhaps there is a very uncommon script which is a bit
> > intrusive, and not default, written specifically for the gazonk
> > service.  The chances of me finding that script are small, normally,
> > but since the command above will print only[1] the help about that
> > particular script, I will have a higher chance of finding the right
> > script for the task.
>
> Well, the way I see it, there are four main script help selection
> possibilities:
>
> 1) Print the script help info for all scripts known by Nmap
>
> 2) Print the info for all scripts selected (by a specifier, like
>    "default" or "safe" or "broadcast" or "asn-query" or whatever).  In
>    this case, you can get behavior #1 by specifying "all".

I have a reasonably complete implementation of #2 in
/nmap-exp/david/nmap-script-help. An example follows:

$ ./nmap --datadir . --script-help auth

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-01-26 16:44 PST

afp-brute
Categories: intrusive auth
http://nmap.org/nsedoc/scripts/afp-brute.html
  Performs password guessing against Apple Filing Protocol (AFP)

citrix-brute-xml
Categories: intrusive auth
http://nmap.org/nsedoc/scripts/citrix-brute-xml.html
  Attempts to guess valid credentials for the Citrix PN Web Agent XML
  Service. The XML service authenticates against the local Windows server
  or the Active Directory.

As I mentioned in http://seclists.org/nmap-dev/2011/q1/242, a strong
motivator for this was to provide Zenmap with a way to get a list of
scripts that match a specification without the side effect of running
broadcast scripts. So there is XML --script-list output as well:

$ ./nmap --datadir . --script-help auth -oX -
<nse-scripts>
<script filename="./scripts/afp-brute.nse">
<categories><category>intrusive</category><category>auth</category></categories>
<description>Performs password guessing against Apple Filing Protocol (AFP)&#xa;</description>
</script>

The Zenmap branch that is capable of reading this XML is
/nmap-exp/david/zenmap-script-help. Making --script-help work was
straightforward. The Zenmap handling was trickier and that's where bugs
are more likely.

I'm going to finish documenting the new option and output. In the
meantime, I'd appreciate testing of the script selection interface in
the zenmap-script-help branch. To test it, it's probably easiest to just
temporarily switch an existing checkout:

$ svn switch --ignore-externals svn://svn.insecure.org/nmap-exp/david/nmap-script-help
$ ./configure --without-nping --without-ncat && make
# make install
$ cd zenmap
$ svn switch --ignore-externals svn://svn.insecure.org/nmap-exp/david/zenmap-script-help
$ ./zenmap

Then open the profile editor (ctrl+P) and go to the Scripting tab. You
should see all the scripts you have installed. It shouldn't hang or show
"Please wait." forever. Checking and unchecking boxes should affect the
command line, and editing the command line should change the checkboxes
after a short delay. (A fraction of a second, any longer and there's a
bug.) You should be able to add additional scripts from the filesystem
with the "Add" button.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/