jah wrote:
> I would like, in certain circumstances, to force nmap not to run scripts
> that it would otherwise run automatically (category "version") and I've
> been experimenting with 4.23RC3. Having re-read the docs on the
> subject, I decided that I'd start by pointing nmap at a directory
> containing zero scripts and found what I believe to be some odd things:
>
> Nmap won't parse any arguments found after a quote enclosed, absolute
> path, to a directory containing zero or more scripts, if a backslash is
> appended to the path:
>
> C:\>nmap --script "C:\Program Files\Nmap\scripts\" -sV --log-errors -p80
> 192.168.1.1 -R --script-trace
> Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
> Standard Time
> WARNING: No targets were specified, so 0 hosts scanned.
> Nmap done: 0 IP addresses (0 hosts up) scanned in 0.047 seconds
>
> C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace
> --script="C:\none\" -sV
> Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
> Standard Time
> SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
> SCRIPT ENGINE: Aborting script scan.
> Interesting ports on 192.168.1.1:
> PORT STATE SERVICE
> 80/tcp open http
> MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
> Nmap done: 1 IP address (1 host up) scanned in 0.156 seconds
>
> In the second example above, version detection was not done. Notice the
> trailing slash was consumed in the response from the script engine.
>
> So escaping the trailing slash should work:
>
> C:\>nmap --script "C:\Program Files\Nmap\scripts\\" -sV --log-errors
> -p80 192.168.1.1 -R --script-trace
> Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
> Standard Time
> SCRIPT ENGINE: No such category, file or directory: 'C:\Program
> Files\Nmap\scripts\'
> SCRIPT ENGINE: Aborting script scan.
> Interesting ports on 192.168.1.1:
> PORT STATE SERVICE VERSION
> 80/tcp open tcpwrapped
> MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
> Service detection performed. Please report any incorrect results at
> http://insecure.org/nmap/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 5.562 seconds
>
> All are arguments parsed. However, it doesn't like the absolute path to
> a directory in which the scripts reside. (A nice hack for forcing nmap
> not to run scripts! because script scanning is immediately aborted)
>
> I see "No such category, file or directory" for any absolute path to a
> directory whether it contains scripts (as in the above default script
> location examples) or not and regardless of spaces in the path (and
> hence quote enclosed),trailing slashes, direction of slashes and whether
> I supply --script=<path> or --script <path>.
>
> I see the same issue with any absolute path to any file (.nse or otherwise).
>
> I'd say absolute paths to scripts and scriptdirs are broken on windows!
> This is also true in 4.22SOC8.
>
>
>
> The docs say (http://insecure.org/nmap/man/man-version-detection.html):
>
> "Absolute paths are used as is, relative paths are searched in the
> following places until found: --datadir/; $(NMAPDIR)/; ~user/nmap/
> (not searched on Windows); NMAPDATADIR/ or ./"
>
>
> Relative paths to script directories require a trailing backslash or else:
> Fetchfile found C:\Program Files\Nmap\myscripts
> LUA INTERPRETER in ..\nse_init.cc:706: cannot open C:\Program
> Files\Nmap\myscripts<script_name>.nse: No such file or directory
>
> and the same error if --datadir is set to a path other than "." without
> the use of a trailing backslash.
>
> Script scanning is immediately aborted in these cases which seems a bit
> odd because the use of relative paths don't override the use of scripts
> in $(NMAPDIR)/scripts and I would hope that the script engine could
> continue with these.
>
>
> On a related note and a minor niggle, if --script version is supplied
> explicitly, without -sV, then execution only stops once the script
> scanning phase is reached at which point:
> SCRIPT ENGINE: specifying the "version" category explicitely is not
> allowed. [sic]
> QUITTING!
> Wouldn't it be more consistent to check for this and to fail before any
> other scanning is performed?
>
> An even more minor niggle - barely worth mentioning - When Version
> detection is performed, nmap finishes off by reporting "Service
> detection performed. Please report any incorrect results at
> http://insecure.org/nmap/submit/ ."
> and I wonder if it might be more consistent to say service Version
> detection or just Version detection.
>
>
>
> To summarise the main points, I believe that:
>
> Absolute paths to scripts/dirs are not working.
> Error if absolute dir paths end in backslash.
> Error if relative dir paths don't end in backslash.
>
I can't test on Windows since I haven't run it (other than at school)
since the SoC, but it looks like a bug in the cmd.exe parsing of quotes
(") and escaped quotes (\"). Nmap is given what the command interpreter
gives it, and that's the problem :)
This right here is what really makes me think so (from above):
C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace
--script="C:\none\" -sV
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
SCRIPT ENGINE: Aborting script scan.
It grabs 'C:\none" -sV' for the directory, which isn't right. UNIX
shells will give you a second prompt like "> " if you haven't finished a
quote or something (so you can finish it), but cmd.exe apparently just
sends the rest of the line to the program.
Well, I'm kinda busy right now, but I wanted to share what I noticed. I
hope that helps.
Thanks,
Kris Katterjohn
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Dec 07 2007
Intro
