Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [Bug]? Script Directories 4.23RC3 on MSWin32
From: Kris Katterjohn <katterjohn () gmail com>
Date: Fri, 07 Dec 2007 16:05:43 -0600

jah wrote:
I would like, in certain circumstances, to force nmap not to run scripts 
that it would otherwise run automatically (category "version") and I've 
been experimenting with 4.23RC3.  Having re-read the docs on the 
subject, I decided that I'd start by pointing nmap at a directory 
containing zero scripts and found what I believe to be some odd things:

Nmap won't parse any arguments found after a quote enclosed, absolute 
path, to a directory containing zero or more scripts, if a backslash is 
appended to the path:

C:\>nmap --script "C:\Program Files\Nmap\scripts\" -sV --log-errors -p80 
192.168.1.1 -R --script-trace
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
Standard Time
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.047 seconds

C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace 
--script="C:\none\" -sV
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
SCRIPT ENGINE: Aborting script scan.
Interesting ports on 192.168.1.1:
PORT   STATE SERVICE
80/tcp open  http
MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
Nmap done: 1 IP address (1 host up) scanned in 0.156 seconds

In the second example above, version detection was not done.  Notice the 
trailing slash was consumed in the response from the script engine.

So escaping the trailing slash should work:

C:\>nmap --script "C:\Program Files\Nmap\scripts\\" -sV --log-errors 
-p80 192.168.1.1 -R --script-trace
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\Program 
Files\Nmap\scripts\'
SCRIPT ENGINE: Aborting script scan.
Interesting ports on 192.168.1.1:
PORT   STATE SERVICE    VERSION
80/tcp open  tcpwrapped
MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
Service detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.562 seconds

All are arguments parsed.  However, it doesn't like the absolute path to 
a directory in which the scripts reside.  (A nice hack for forcing nmap 
not to run scripts! because script scanning is immediately aborted)

I see "No such category, file or directory" for any absolute path to a 
directory whether it contains scripts (as in the above default script 
location examples) or not and regardless of spaces in the path (and 
hence quote enclosed),trailing slashes, direction of slashes and whether 
I supply --script=<path> or --script <path>.

I see the same issue with any absolute path to any file (.nse or otherwise).

I'd say absolute paths to scripts and scriptdirs are broken on windows!
This is also true in 4.22SOC8.



The docs say (http://insecure.org/nmap/man/man-version-detection.html):

    "Absolute paths are used as is, relative paths are searched in the
    following places until found: --datadir/; $(NMAPDIR)/; ~user/nmap/
    (not searched on Windows); NMAPDATADIR/ or ./"


Relative paths to script directories require a trailing backslash or else:
Fetchfile found C:\Program Files\Nmap\myscripts
LUA INTERPRETER in ..\nse_init.cc:706: cannot open C:\Program 
Files\Nmap\myscripts<script_name>.nse: No such file or directory

and the same error if --datadir is set to a path other than "." without 
the use of a trailing backslash.

Script scanning is immediately aborted in these cases which seems a bit 
odd because the use of relative paths don't override the use of scripts 
in $(NMAPDIR)/scripts and I would hope that the script engine could 
continue with these.


On a related note and a minor niggle, if --script version is supplied 
explicitly, without -sV, then execution only stops once the script 
scanning phase is reached at which point:
SCRIPT ENGINE: specifying the "version" category explicitely is not 
allowed. [sic]
QUITTING!
Wouldn't it be more consistent to check for this and to fail before any 
other scanning is performed?

An even more minor niggle - barely worth mentioning - When Version 
detection is performed, nmap finishes off by reporting "Service 
detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ ."
and I wonder if it might be more consistent to say service Version 
detection or just Version detection.



To summarise the main points, I believe that:

Absolute paths to scripts/dirs are not working.
Error if absolute dir paths end in backslash.
Error if relative dir paths don't end in backslash.


I can't test on Windows since I haven't run it (other than at school) 
since the SoC, but it looks like a bug in the cmd.exe parsing of quotes 
(") and escaped quotes (\").  Nmap is given what the command interpreter 
gives it, and that's the problem :)

This right here is what really makes me think so (from above):

C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace
--script="C:\none\" -sV
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
SCRIPT ENGINE: Aborting script scan.

It grabs 'C:\none" -sV' for the directory, which isn't right.  UNIX 
shells will give you a second prompt like "> " if you haven't finished a 
quote or something (so you can finish it), but cmd.exe apparently just 
sends the rest of the line to the program.

Well, I'm kinda busy right now, but I wanted to share what I noticed.  I 
hope that helps.

Thanks,
Kris Katterjohn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault