Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] Default NSE Scripts
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 10 May 2008 04:43:15 +0000

Hash: SHA1

Hi Fyodor.  I have a few comments below.  I think this topic is hard to
discuss without sounding confrontational.  These are my opinions alone
and are meant constructively.  Text has a way of concealing a
well-meaning tone.  Please read the tone of this email as 100% friendly.

On Fri, 9 May 2008 21:08:57 -0700 or thereabouts Fyodor
<fyodor () insecure org> wrote:

* anonFTP

This logs into the FTP server.  It may be hard to argue that port
scanning is a crime but it's easy to argue that under the right
circumstances, logging into a FTP server is unauthorized access.

Since the point of anonymous FTP is to allow unauthenticated access,
it would be pretty lame to argue that it is unauthorized access, IMHO.
If you don't want to allow the public acccess, use a
username/password.  Some search engines index anonymous ftp content.

But at the same time, I don't think people should assume that doing a
default script scan against some target machine/network without
permission is OK.  The scripts in general are much more intrusive than
a simple port scan, as you've noted.  Currently, the default is to run
scripts in the "intrusive" category (as well as "safe").

Still, we don't want anything too dangerous running as default.  A
metasploit-style exploitation script is no-go, for example.

First I'll start of by saying that I don't disagree.  The problem
though is that I often I've hear argument "just because the door
wasn't locked..." with regard to passwords not being on services.

All too often people that have do business making or weighing technical
decisions are involved in the process anyways.  To the rest of us,
arguing that logging into anonymous FTP is unauthorized access is
ridiculous. To someone looking for any excuse to prosecute you though,
it's more ammunition than I'd like to give (by default anyways).

Here is another example.  How many of us think privacy notices like the
one below are ridiculous:

"PRIVACY & CONFIDENTIALITY NOTICE: This message is for the designated
recipient only and may contain privileged, confidential, or otherwise
private information. If you have received it in error, please notify
the sender immediately and delete the original. Any other use of an
email received in error is prohibited."

Probably all of us.  Will one of these hold up in court?  Maybe.
People still feel a need to "protect" themselves by putting them in
their signature.

These privacy notices are little different than the various FTP banners
you see on public FTP servers like this one:

220-Any or all use of this system and all files on this system may be intercepted and monitored.
220-Unauthorized or improper use of this system may result in disciplinary and/or legal action.  By continuing to use 
this system you indicate your awareness of and consent to these terms and conditions of use.
220-LOG OFF IMMEDIATELY if you are not an authorized user of this system or do not agree to the conditions stated in 
this warning.
220 <hostname> FTP server (Version:  Mac OS X Server 10.5.5 003 - +GSSAPI) ready.

The wording of this banner suggests that logging in alone is agreement
to the "terms".

Who knows if any of this crap would actually hold up in court.  I
really don't think any scripts in the default category though should
also fall into the "askalayer" category.

A user of Nmap takes responsibility for their actions into their own
hands.  Lets not have the proverbial gun pointing at their foot by
default though, lets make them aim it there on their own.


Version: GnuPG v2.0.9 (GNU/Linux)


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]