Nmap Development: Re: Nmap 4.21ALPHA1 -- Nmap Scripting Engine integrated

[Diman Todorov <diman.todorov () chello at>]

Hello List,

> If NSE had something like Metasploit's DCERPC or Nessus's generic RPC
> packet creation functions it would gain so much more flexibility and
> power.  Also, checks from other frameworks could (in most cases) be  
> ported
> to NSE.  Making an RPC library for NSE would be a big undertaking  
> but would
> benefit the community greatly in the long run.
>
> Brandon
I haven't looked at it into great detail but nmap has some RPC  
functionality. Interfacing it it to NSE is not very difficult.  
Fyodor, is the RPC code base in nmap sufficient for doing RPC or  
would it need extending?

I have some ideas for further NSE development. I am putting them up  
for discussion. New ideas and criticism of my ideas are of course  
welcome.

* Functional list operations (map, apply, head, tail, pair etc.)

* a print_debug() function which only prints output on higher  
verbosity levels

* prototypes for common rules so that you can do things like:  
portrule = protorule("http", "tcp") instead of tediously defining a  
function. I have not decided yet what rules are best to have a  
prototype for.

* buffered I/O. We have a patch for that already (thanks majek) but  
it is still not decided if the buffering should be patched directly  
into the nsock library or in the NSE library.

* a socket:get_contents() which returns only the payload of the  
underlying protocol. This might not be straight forward though. The  
socket would have to know its protocol for this to work as expected.

* make PCRE usage more comfortable. Currently the PCRE interface is  
pretty low level.

* I will definitely add a way to list the available categories.

* Return exception objects instead of only an error string.

* Store the ports to detected services in the registry. That way you  
can find out the port on which http is running on a target by simply  
looking into the NSE registry. Nessus is doing something similar.

* Provide a more expressive way to choose scripts. For example '-- 
script all and not intrusive' or '--script intrusive or safe and not  
harmless'. The syntax is just an example, not a suggestion.

* Provide a method to allow passing command line arguments to  
scripts. Someone mentioned that it would be nice to be able to pass  
things like username/password to specific scripts. Think '--script- 
arguments script-id:argument1 script-id:argument2' or something similar.

* Currently NSE considers only TCP and UDP open and open|filtered.  
Maybe users should be allowed to decide for themselves which port  
states they want to consider.

* Write a function which generates n bytes of random data quickly so  
that it can be used for buffer overflows.

* Add md5 sha1 etc. computation

* Implement nsock garbage collection. So that if you forget to close  
a socket it will be implicitly destroyed when the script finishes.

* Make a standalone NSE interpreter for easy script development and  
debugging.

* Perhaps allow scripts to generate new targets. So that you can  
query a dns server to find out which hosts belong to a certain domain  
and then ask nmap to scan these.

Cheers
Diman




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org