Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Nmap Development: [Bug]? Script Directories 4.23RC3 on MSWin32

[Bug]? Script Directories 4.23RC3 on MSWin32

From: jah <jah_at_zadkiel.plus.com>
Date: Fri, 07 Dec 2007 21:51:40 +0000

I would like, in certain circumstances, to force nmap not to run scripts
that it would otherwise run automatically (category "version") and I've
been experimenting with 4.23RC3. Having re-read the docs on the
subject, I decided that I'd start by pointing nmap at a directory
containing zero scripts and found what I believe to be some odd things:

Nmap won't parse any arguments found after a quote enclosed, absolute
path, to a directory containing zero or more scripts, if a backslash is
appended to the path:

C:\>nmap --script "C:\Program Files\Nmap\scripts\" -sV --log-errors -p80
192.168.1.1 -R --script-trace
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
Standard Time
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.047 seconds

C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace
--script="C:\none\" -sV
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
SCRIPT ENGINE: Aborting script scan.
Interesting ports on 192.168.1.1:
PORT STATE SERVICE
80/tcp open http
MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
Nmap done: 1 IP address (1 host up) scanned in 0.156 seconds

In the second example above, version detection was not done. Notice the
trailing slash was consumed in the response from the script engine.

So escaping the trailing slash should work:

C:\>nmap --script "C:\Program Files\Nmap\scripts\\" -sV --log-errors
-p80 192.168.1.1 -R --script-trace
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\Program
Files\Nmap\scripts\'
SCRIPT ENGINE: Aborting script scan.
Interesting ports on 192.168.1.1:
PORT STATE SERVICE VERSION
80/tcp open tcpwrapped
MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.562 seconds

All are arguments parsed. However, it doesn't like the absolute path to
a directory in which the scripts reside. (A nice hack for forcing nmap
not to run scripts! because script scanning is immediately aborted)

I see "No such category, file or directory" for any absolute path to a
directory whether it contains scripts (as in the above default script
location examples) or not and regardless of spaces in the path (and
hence quote enclosed),trailing slashes, direction of slashes and whether
I supply --script=<path> or --script <path>.

I see the same issue with any absolute path to any file (.nse or otherwise).

I'd say absolute paths to scripts and scriptdirs are broken on windows!
This is also true in 4.22SOC8.

The docs say (http://insecure.org/nmap/man/man-version-detection.html):

    "Absolute paths are used as is, relative paths are searched in the
    following places until found: --datadir/; $(NMAPDIR)/; ~user/nmap/
    (not searched on Windows); NMAPDATADIR/ or ./"

Relative paths to script directories require a trailing backslash or else:
Fetchfile found C:\Program Files\Nmap\myscripts
LUA INTERPRETER in ..\nse_init.cc:706: cannot open C:\Program
Files\Nmap\myscripts<script_name>.nse: No such file or directory

and the same error if --datadir is set to a path other than "." without
the use of a trailing backslash.

Script scanning is immediately aborted in these cases which seems a bit
odd because the use of relative paths don't override the use of scripts
in $(NMAPDIR)/scripts and I would hope that the script engine could
continue with these.

On a related note and a minor niggle, if --script version is supplied
explicitly, without -sV, then execution only stops once the script
scanning phase is reached at which point:
SCRIPT ENGINE: specifying the "version" category explicitely is not
allowed. [sic]
QUITTING!
Wouldn't it be more consistent to check for this and to fail before any
other scanning is performed?

An even more minor niggle - barely worth mentioning - When Version
detection is performed, nmap finishes off by reporting "Service
detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ ."
and I wonder if it might be more consistent to say service Version
detection or just Version detection.

To summarise the main points, I believe that:

Absolute paths to scripts/dirs are not working.
Error if absolute dir paths end in backslash.
Error if relative dir paths don't end in backslash.

Now, if I may, a brief word on the reason I started this ramble in the
first place.

Would it be generally agreeable to implement an argument such as
--version-noscript which would give finer control over what scripts are
run when -sV is used and would be independent of --version-intensity
(which might be another way of doing it, but possibly not as good)?
Or how about a way to exclude any categor[y|ies] such as:
-sV --script all --script-exclude version,intrusive

There are times when I don't want to run certain scripts and in the
future, there will doubtless be many many more scripts in the version
category and version scanning speed may suffer as a result.

jah

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Dec 07 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]