Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [Bug]? Script Directories 4.23RC3 on MSWin32
From: jah <jah () zadkiel plus com>
Date: Sun, 09 Dec 2007 15:31:19 +0000

David Fifield wrote:
On Fri, Dec 07, 2007 at 09:51:40PM +0000, jah wrote:
  
I would like, in certain circumstances, to force nmap not to run scripts 
that it would otherwise run automatically (category "version") and I've 
been experimenting with 4.23RC3.  Having re-read the docs on the 
subject, I decided that I'd start by pointing nmap at a directory 
containing zero scripts and found what I believe to be some odd things:

Nmap won't parse any arguments found after a quote enclosed, absolute 
path, to a directory containing zero or more scripts, if a backslash is 
appended to the path:

C:\>nmap --script "C:\Program Files\Nmap\scripts\" -sV --log-errors -p80 
192.168.1.1 -R --script-trace
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
Standard Time
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.047 seconds
    

As Kris observed, this is because the backslash is escaping the closing
quote.

  
Agreed, perhaps this weirdness with the windows command interpreter 
ought to be referenced in the docs.  Or maybe have nmap split any 
arguments that contain a quote (") in them and so avoid:

    --script="C:\none\" -sV
    SCRIPT ENGINE: No such category, file or directory: 'C:\none" -sV'

So escaping the trailing slash should work:

C:\>nmap --script "C:\Program Files\Nmap\scripts\\" -sV --log-errors 
-p80 192.168.1.1 -R --script-trace
Starting Nmap 4.23RC3 ( http://insecure.org ) at 2007-12-07 18:07 GMT 
Standard Time
SCRIPT ENGINE: No such category, file or directory: 'C:\Program 
Files\Nmap\scripts\'
SCRIPT ENGINE: Aborting script scan.
Interesting ports on 192.168.1.1:
PORT   STATE SERVICE    VERSION
80/tcp open  tcpwrapped
MAC Address: XX:XX:XX:D5:5E:30 (XXXXXX)
Service detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.562 seconds
    

I committed a fix for this. Here is what happens before and after the
fix.

nmap --script=/home/david/nmap/scripts/SSHv1-support.nse -d localhost
Before: SCRIPT ENGINE: No such category, file or directory: '/home/david/nmap/scripts/SSHv1-support.nse'
After:  SCRIPT ENGINE: Will run /home/david/nmap/scripts/SSHv1-support.nse against 127.0.0.1:22

nmap --script=/home/david/nmap/scripts/SSHv1-support -d localhost
Before: SCRIPT ENGINE: No such category, file or directory: '/home/david/nmap/scripts/SSHv1-support'
After:  SCRIPT ENGINE: Will run /home/david/nmap/scripts/SSHv1-support.nse against 127.0.0.1:22

nmap --script=/scripts/SSHv1-support.nse -d localhost
Before: SCRIPT ENGINE: Will run /usr/share/nmap//scripts/SSHv1-support.nse against 127.0.0.1:22
After:  SCRIPT ENGINE: No such category, file or directory: '/scripts/SSHv1-support.nse'

nmap --script=/scripts/SSHv1-support -d localhost
Before: SCRIPT ENGINE: Will run /usr/share/nmap//scripts/SSHv1-support.nse against 127.0.0.1:22
After:  SCRIPT ENGINE: No such category, file or directory: '/scripts/SSHv1-support'

nmap --script=/home/david/nmap/scripts -d localhost
Before: SCRIPT ENGINE: No such category, file or directory: '/home/david/nmap/scripts'
After:  SCRIPT ENGINE: Will run /home/david/nmap/scripts/ripeQuery.nse against 127.0.0.1
        SCRIPT ENGINE: Will run /home/david/nmap/scripts/SSHv1-support.nse against 127.0.0.1:22

I also tested on Windows.

David Fifield
  
Great stuff, it seems well fixed!
There is a slight difference between your examples above and in windows 
when a leading slash is used for a relative path:

nmap 192.168.1.1 -sSV -p80 --script \myscripts -d
SCRIPT ENGINE: Will run C:\Program 
Files\Nmap\\myscripts\skype_v2-version.nse against 192.168.1.1:80

This, at both the command prompt and in zenmap.
Difficult to know whether this should happen or not given cmd.exe behaviour:

    C:\nmap-4.49RC6>cd \myscripts
    The system cannot find the path specified.

    C:\nmap-4.49RC6>cd /myscripts

    C:\nmap-4.49RC6\myscripts>

Bizarre.

The only other question remaining is that given that nmap will use 
scripts from it's default script dir in addition to scripts at any 
supplied paths, should it fail to do any script scanning if the supplied 
path is in some way incorrect?  Or should it indeed not even use it's 
default scripts if alternative ones are supplied?
One for the future!


jah



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault