Kris Katterjohn wrote:
> jah wrote:
>> I would like, in certain circumstances, to force nmap not to run
>> scripts that it would otherwise run automatically (category
>> "version") and I've been experimenting with 4.23RC3. Having re-read
>> the docs on the subject, I decided that I'd start by pointing nmap at
>> a directory containing zero scripts and found what I believe to be
>> some odd things:
>>
>> Nmap won't parse any arguments found after a quote enclosed, absolute
>> path, to a directory containing zero or more scripts, if a backslash
>> is appended to the path:
>>
>> C:\>nmap --script "C:\Program Files\Nmap\scripts\" -sV --log-errors
>> -p80 192.168.1.1 -R --script-trace
>> Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
>> Standard Time
>> WARNING: No targets were specified, so 0 hosts scanned.
>> Nmap done: 0 IP addresses (0 hosts up) scanned in 0.047 seconds
>>
>> C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace
>> --script="C:\none\" -sV
>> Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
>> Standard Time
>> SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
>> SCRIPT ENGINE: Aborting script scan.
>> Interesting ports on 192.168.1.1:
>> PORT STATE SERVICE
>> 80/tcp open http
>> MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
>> Nmap done: 1 IP address (1 host up) scanned in 0.156 seconds
>>
>> In the second example above, version detection was not done. Notice
>> the trailing slash was consumed in the response from the script engine.
>>
>> So escaping the trailing slash should work:
>>
>> C:\>nmap --script "C:\Program Files\Nmap\scripts\\" -sV --log-errors
>> -p80 192.168.1.1 -R --script-trace
>> Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
>> Standard Time
>> SCRIPT ENGINE: No such category, file or directory: 'C:\Program
>> Files\Nmap\scripts\'
>> SCRIPT ENGINE: Aborting script scan.
>> Interesting ports on 192.168.1.1:
>> PORT STATE SERVICE VERSION
>> 80/tcp open tcpwrapped
>> MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
>> Service detection performed. Please report any incorrect results at
>> http://insecure.org/nmap/submit/ .
>> Nmap done: 1 IP address (1 host up) scanned in 5.562 seconds
>>
>> All are arguments parsed. However, it doesn't like the absolute path
>> to a directory in which the scripts reside. (A nice hack for forcing
>> nmap not to run scripts! because script scanning is immediately aborted)
>>
>> I see "No such category, file or directory" for any absolute path to
>> a directory whether it contains scripts (as in the above default
>> script location examples) or not and regardless of spaces in the path
>> (and hence quote enclosed),trailing slashes, direction of slashes and
>> whether I supply --script=<path> or --script <path>.
>>
>> I see the same issue with any absolute path to any file (.nse or
>> otherwise).
>>
>> I'd say absolute paths to scripts and scriptdirs are broken on windows!
>> This is also true in 4.22SOC8.
>>
>>
>>
>> The docs say (http://insecure.org/nmap/man/man-version-detection.html):
>>
>> "Absolute paths are used as is, relative paths are searched in the
>> following places until found: --datadir/; $(NMAPDIR)/; ~user/nmap/
>> (not searched on Windows); NMAPDATADIR/ or ./"
>>
>>
>> Relative paths to script directories require a trailing backslash or
>> else:
>> Fetchfile found C:\Program Files\Nmap\myscripts
>> LUA INTERPRETER in ..\nse_init.cc:706: cannot open C:\Program
>> Files\Nmap\myscripts<script_name>.nse: No such file or directory
>>
>> and the same error if --datadir is set to a path other than "."
>> without the use of a trailing backslash.
>>
>> Script scanning is immediately aborted in these cases which seems a
>> bit odd because the use of relative paths don't override the use of
>> scripts in $(NMAPDIR)/scripts and I would hope that the script engine
>> could continue with these.
>>
>>
>> On a related note and a minor niggle, if --script version is supplied
>> explicitly, without -sV, then execution only stops once the script
>> scanning phase is reached at which point:
>> SCRIPT ENGINE: specifying the "version" category explicitely is not
>> allowed. [sic]
>> QUITTING!
>> Wouldn't it be more consistent to check for this and to fail before
>> any other scanning is performed?
>>
>> An even more minor niggle - barely worth mentioning - When Version
>> detection is performed, nmap finishes off by reporting "Service
>> detection performed. Please report any incorrect results at
>> http://insecure.org/nmap/submit/ ."
>> and I wonder if it might be more consistent to say service Version
>> detection or just Version detection.
>>
>>
>>
>> To summarise the main points, I believe that:
>>
>> Absolute paths to scripts/dirs are not working.
>> Error if absolute dir paths end in backslash.
>> Error if relative dir paths don't end in backslash.
>>
>
> I can't test on Windows since I haven't run it (other than at school)
> since the SoC, but it looks like a bug in the cmd.exe parsing of
> quotes (") and escaped quotes (\"). Nmap is given what the command
> interpreter gives it, and that's the problem :)
>
> This right here is what really makes me think so (from above):
>
> C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace
> --script="C:\none\" -sV
> Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
> Standard Time
> SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
> SCRIPT ENGINE: Aborting script scan.
>
> It grabs 'C:\none" -sV' for the directory, which isn't right. UNIX
> shells will give you a second prompt like "> " if you haven't finished
> a quote or something (so you can finish it), but cmd.exe apparently
> just sends the rest of the line to the program.
Yes, you could be on to something there because if I supply an absolute
path with a backslash in zenmap, it doesn't complain. It also doesn't
do any script scanning though (with or without backslash).
If I supply a relative path without a backslash, it doesn't complain,
but doesn't do any script scanning.
Zenmap doesn't display "fetchfile found" debug messages with -d3 (or -d
-d -d) as nmap at cmd does.
jah
>
> Well, I'm kinda busy right now, but I wanted to share what I noticed.
> I hope that helps.
>
> Thanks,
> Kris Katterjohn
>
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Dec 07 2007
Intro
