Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [Bug]? Script Directories 4.23RC3 on MSWin32
From: jah <jah () zadkiel plus com>
Date: Fri, 07 Dec 2007 22:38:21 +0000



Kris Katterjohn wrote:
jah wrote:
I would like, in certain circumstances, to force nmap not to run 
scripts that it would otherwise run automatically (category 
"version") and I've been experimenting with 4.23RC3.  Having re-read 
the docs on the subject, I decided that I'd start by pointing nmap at 
a directory containing zero scripts and found what I believe to be 
some odd things:

Nmap won't parse any arguments found after a quote enclosed, absolute 
path, to a directory containing zero or more scripts, if a backslash 
is appended to the path:

C:\>nmap --script "C:\Program Files\Nmap\scripts\" -sV --log-errors 
-p80 192.168.1.1 -R --script-trace
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
Standard Time
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.047 seconds

C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace 
--script="C:\none\" -sV
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
SCRIPT ENGINE: Aborting script scan.
Interesting ports on 192.168.1.1:
PORT   STATE SERVICE
80/tcp open  http
MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
Nmap done: 1 IP address (1 host up) scanned in 0.156 seconds

In the second example above, version detection was not done.  Notice 
the trailing slash was consumed in the response from the script engine.

So escaping the trailing slash should work:

C:\>nmap --script "C:\Program Files\Nmap\scripts\\" -sV --log-errors 
-p80 192.168.1.1 -R --script-trace
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\Program 
Files\Nmap\scripts\'
SCRIPT ENGINE: Aborting script scan.
Interesting ports on 192.168.1.1:
PORT   STATE SERVICE    VERSION
80/tcp open  tcpwrapped
MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
Service detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.562 seconds

All are arguments parsed.  However, it doesn't like the absolute path 
to a directory in which the scripts reside.  (A nice hack for forcing 
nmap not to run scripts! because script scanning is immediately aborted)

I see "No such category, file or directory" for any absolute path to 
a directory whether it contains scripts (as in the above default 
script location examples) or not and regardless of spaces in the path 
(and hence quote enclosed),trailing slashes, direction of slashes and 
whether I supply --script=<path> or --script <path>.

I see the same issue with any absolute path to any file (.nse or 
otherwise).

I'd say absolute paths to scripts and scriptdirs are broken on windows!
This is also true in 4.22SOC8.



The docs say (http://insecure.org/nmap/man/man-version-detection.html):

    "Absolute paths are used as is, relative paths are searched in the
    following places until found: --datadir/; $(NMAPDIR)/; ~user/nmap/
    (not searched on Windows); NMAPDATADIR/ or ./"


Relative paths to script directories require a trailing backslash or 
else:
Fetchfile found C:\Program Files\Nmap\myscripts
LUA INTERPRETER in ..\nse_init.cc:706: cannot open C:\Program 
Files\Nmap\myscripts<script_name>.nse: No such file or directory

and the same error if --datadir is set to a path other than "." 
without the use of a trailing backslash.

Script scanning is immediately aborted in these cases which seems a 
bit odd because the use of relative paths don't override the use of 
scripts in $(NMAPDIR)/scripts and I would hope that the script engine 
could continue with these.


On a related note and a minor niggle, if --script version is supplied 
explicitly, without -sV, then execution only stops once the script 
scanning phase is reached at which point:
SCRIPT ENGINE: specifying the "version" category explicitely is not 
allowed. [sic]
QUITTING!
Wouldn't it be more consistent to check for this and to fail before 
any other scanning is performed?

An even more minor niggle - barely worth mentioning - When Version 
detection is performed, nmap finishes off by reporting "Service 
detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ ."
and I wonder if it might be more consistent to say service Version 
detection or just Version detection.



To summarise the main points, I believe that:

Absolute paths to scripts/dirs are not working.
Error if absolute dir paths end in backslash.
Error if relative dir paths don't end in backslash.


I can't test on Windows since I haven't run it (other than at school) 
since the SoC, but it looks like a bug in the cmd.exe parsing of 
quotes (") and escaped quotes (\").  Nmap is given what the command 
interpreter gives it, and that's the problem :)

This right here is what really makes me think so (from above):

C:\>nmap -p80 192.168.1.1 -R --log-errors --script-trace
--script="C:\none\" -sV
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'
SCRIPT ENGINE: Aborting script scan.

It grabs 'C:\none" -sV' for the directory, which isn't right.  UNIX 
shells will give you a second prompt like "> " if you haven't finished 
a quote or something (so you can finish it), but cmd.exe apparently 
just sends the rest of the line to the program.

Yes, you could be on to something there because if I supply an absolute 
path with a backslash in zenmap, it doesn't complain.  It also doesn't 
do any script scanning though (with or without backslash).
If I supply a relative path without a backslash, it doesn't complain, 
but doesn't do any script scanning.
Zenmap doesn't display "fetchfile found" debug messages with -d3 (or -d 
-d -d) as nmap at cmd does.

jah


Well, I'm kinda busy right now, but I wanted to share what I noticed.  
I hope that helps.

Thanks,
Kris Katterjohn


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault