RE: NSE Categorization Question(s)

[King Thorin <kingthorin () hotmail com>]

Thanks Dave. I was comparing the two script simply based on their descriptions.

Thanks for the --script-help idea, it's close but a little too verbose. I was thinking more along the lines of:

http-wordpress-brute Categories: intrusive brute
http-wordpress-enum Categories: auth intrusive vuln
http-wordpress-plugins Categories: discovery intrusive

I suppose I can probably get there with some kind of grep/awk/sed kung'fu


> Date: Thu, 14 Jun 2012 07:19:03 -0700
> From: david () bamsoftware com
> To: kingthorin () hotmail com
> CC: nmap-dev () insecure org
> Subject: Re: NSE Categorization Question(s)
>
> On Thu, Jun 14, 2012 at 09:22:56AM -0400, King Thorin wrote:
> > So looking at ssl-enum-ciphers got me thinking. This script is in the
> > discovery, and intrusive categories. Why isn't it "safe"? Which lead
> > to "how do we (the list, Fyodor, etc) describe the categories?"
> > http://nmap.org/book/nse-usage.html#nse-categories
> >
> > "intrusive
> >           These are scripts that cannot be classified in the
> >             safe category because the risks are too
> >             high that they will crash the target system, use up
> >             significant resources on the target host (such as
> >             bandwidth or CPU time), or otherwise be perceived as
> >             malicious by the target's system administrators."
> >
> > How was it determined that ssl-enum-ciphers is going to down a system
> > or load it too heavily while ssh2-enum-algos won't? Though
> > ssh2-enum-algos isn't safe, it's also not listed as intrusive. They're
> > both listed as discovery. 
>
> It's because ssh2-enum-algos gets its entire output from the server in
> one connection, which ssl-enum-ciphers must make a few hundred
> connections, one for each possible algorithm. Although their output is
> similar, they work differently. Just try them yourself and you'll see
> that one is much faster than the other.
>
> > Also this just occurred to me while writing this up. Is there
> > currently a mechanism (switch/option, similar to -sL -n) to have nmap
> > lists scripts and categories which will be run? i.e. if you do some
> > complicated type of script selection
> > (http://nmap.org/book/nse-usage.html#nse-script-selection), such as
> > the "nmap --script "(default or safe or intrusive) and not http-*""
> > example could nmap list what scripts will be run and their
> > categorization details without actually running? 
>
> Use the --script-help option.
>
> nmap --script-help "(default or safe or intrusive) and not http-*"
>
> David Fifield
                                          
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/