|
Nmap Development
mailing list archives
Re: Nmap-NSE Release candidate 2
From: Diman Todorov <diman.todorov () chello at>
Date: Wed, 9 Aug 2006 17:54:13 +0200
Hello Doug,
Do we make the user edit the lua source file? Do we add some means
to pass
parameters through Nmap into the lua script? Or do we simply
consider these
cases beyond the scope of NSE?
A conceivable plan could be
nmap -sC --script=whatever.lua --script-
params='user="desmond",passwd="molly"' target
I am not sure I like this idea very much. The main use of NSE (at
least I assumed this
to be the main use while designing) will be running thousands of
scripts against a target.
I really can't imagine how this --script-params can be used to pass
parameters to the
scripts in a way that isn't a pita. You'd either need to tell the
option which script
it is meant for or you would need to cope with the fact that
different scripts might
interpret the same argument differently. But more on user interaction
later.
Accounting for just the service name should also add another layer
of stability
and assurance to somebody running or writing lua scripts: version
detection has
verified that, at least superficially, this port seems to speak the
service we're
hoping it to speak.
This sounds quite reasonable to me. I would still provide the
port.number because
theoretically you can do network I/O in the rule section.
portrule = "http/tcp"
instead of the longer
portrule = function(host, port)
if port.service == "http"
and port.protocol == "tcp"
then
end
To be honest I would rather handle this in some sort of standard
library.
protorule = function(service, protocol)
return function(host, port)
if port.service == service
and port.protocol == protocol
then
return true
else
return false
end
end
end
and then
portrule = protorule("http", "tcp")
If you're getting my drift ;)
Until I looked at the lua source code, it wasn't clear to me that
port 113
needed to be scanned and determined to be an auth service before the
showOwner.lua script would run. Perhaps some sort of documentation
or warning
is appropriate? Also, in a similar vein to above, what if we (god
knows why)
find an auth service on a port other than 113? Couldn't somehow the
showOwner.lua
script try the scan with any auth services discovered? And could we
make this
general so that this sort of behaviour is automatic (by having some
sort
of connect() wrapper that accepts service names instead of ports,
for example)?
I agree that the dependency on port 113 is not a very good thing. I
would
nevertheless refrain from a connect() wrapper which accepts service
names as
this introduces a number of ambiguities which need to be dealt with.
What
if there are 25 ports with open auth on the target? While this is
just an
example for the sake of discussion, I believe that sometimes it is
better
to go a conservative way for the sake of simplicity.
The problem above can be easily solved using the new nmap.registry:
portrule = function(host, port)
if port.service == "auth" then
nmap.registry.authnumber = port.number
return true
else
return false
end
end
action = function(host, port)
connect(host.ip, nmap.registry.authnumber)
end
While this doesn't resolve ambiguities, it is very helpful imho. Perhaps
the standard library can have routines to easily store and retrieve
several
port numbers...
I know lua provides a fairly complete regular expression library
but I still
wonder if it would be worthwhile creating some sort of lua binding for
PPCRE. Nmap requires libppcre for version detection so we can
always count on
it being linked. (Interestingly, Nmap will soon have 3 distinct,
incompatible
regular expression libraries available - POSIX, PPCRE, and lua's)
Either adding a ppcre wrapper or even replacing the lua expressions
in NSE entirely
with ppcre is already on my TODO list. Currently it has very low
priority though.
This is handy because a whole heap of protocols use the concept of
"lines" to
divide data and functions like this one make it really easy to read
and process
data line-by-line.
That's not my idea, this is a function provided by nsock, I've simply
provided a wrapper ;)
In fact I am contemplating switching to marek's buffered i/o nsock
wrapper but this
too will have to wait for now.
As far as your abstraction ideas are concerned, I totally agree.
Building some kind
of NSE standard library is planned. I hadn't thought of adding
shortcuts for idioms
but it definitely sounds like a good idea to me. I had in mind adding
routines which
would reduce the pain of having to use low level sockets and thus
buggily reinventing
the wheel in every NSE script.
I can't seem to find any use of the 'description values in the C
source or
any of the lua scripts. Does the description serve any purpose
other than
being a comment in the source code?
It's because they currently only serve the purpose of a comment. I think
that in the long term NSE will definitely need some form of GUI. One
of the
purposes for a GUI would be to give users a sane way to browse scripts -
I have rewritten the script storage system so that scripts can be in
multiple
categories unfortunately at the cost of losing the structured
filesystem layout.
It would also be nice to have a graphical debugger for NSE scripts.
The GUI could
also handle the issue with parameters for scripts.
Is that something which should be put in NmapFE or should we extend
Adriano's UMIT?
Out of curiosity, I'm wondering why you chose NSE for some of your
scripts
instead of version detection. For example, malware/
kibuvDetection.lua seems
to accomplish the same thing that adding a match line or 2 to the
probes file
would.
I do apologize. Some of the scripts currently distributed are
definitely not
going in the final release. They were written just for testing
purposes -
you know - the 'yay it works' feeling ;)
The kibuv script in particular is one of the NASL scripts I have
ported to NSE to compare both languages.
Anyways, these are just some random ideas. Take them for what
they're worth.
greatly appreciated
cheers
Diman
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
 By Date 
By Thread
Current thread:
| 
Intro
