Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

Re: Nmap 4.21ALPHA1 -- Nmap Scripting Engine integrated
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Mon, 11 Dec 2006 02:51:55 +0000
On Sun, 10 Dec 2006 18:31:30 -0800
Fyodor <fyodor () insecure org> wrote:
...snip...

While it seems to generally be working well, don't consider the
current behavior a "done deal" where we're only looking to fix bugs.
We're hoping to get your input on things like what categories we
should use, what sort of standard NSE library functions are needed,
what API changes would make script writing easier or more powerful,
etc.


Being a script writer primarily interested in security auditing, the biggest
hole in NSE libraries for me, is with MS RPC calls.  A few months ago when
MS06-040 was a big deal you requested that someone write an NSE script to
check for the patch.  I looked into doing so, as I'm sure others did too.
I decided it was tool difficult/would not be flexible enough to write a
check in pure LUA.  Most other frameworks like Metasploit or Nessus were
able to quickly release exploits/checks because they've already laid the
RPC groundwork.

Here is a snip from the MS06-040 Metasploit exploit by H D Moore:

my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np',
$target_host, $pipe );

my $dce = Pex::DCERPC->new(
     'handle'      => $handle,
     'username'    => $self->GetVar('SMBUSER'),
     'password'    => $self->GetVar('SMBPASS'),
     'domain'      => $self->GetVar('SMBDOM'),
     'fragsize'    => $self->GetVar('FragSize'),
     'bindevasion' => $self->GetVar('BindEvasion'),
     'directsmb'   => $self->GetVar('DirectSMB'),
);

If NSE had something like Metasploit's DCERPC or Nessus's generic RPC
packet creation functions it would gain so much more flexibility and
power.  Also, checks from other frameworks could (in most cases) be ported
to NSE.  Making an RPC library for NSE would be a big undertaking but would
benefit the community greatly in the long run.

Brandon

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]