Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] Default NSE Scripts
From: Fyodor <fyodor () insecure org>
Date: Fri, 9 May 2008 22:01:43 -0700

On Sat, May 10, 2008 at 04:43:15AM +0000, Brandon Enright wrote:

Who knows if any of this crap would actually hold up in court.  I
really don't think any scripts in the default category though should
also fall into the "askalayer" category.

A user of Nmap takes responsibility for their actions into their own
hands.  Lets not have the proverbial gun pointing at their foot by
default though, lets make them aim it there on their own.

I see your point, but I think that many/most scripts have the
potential to annoy the sorts of people would would put out a public
FTP server with anonymous access enabled, and then complain when
people log in.  Also, these scripts won't run with a deafult scan like
"nmap <target>".  Only if you specify scripting with an option such as
-sC or -A.  And anonFTP has run by default (if you're ask for
scripting) since it was added in 2006 and I haven't heard any
complaints about it being default.  So this isn't a change in

Maybe what we need to do is document better that -sC/-A are
particularly intrusive and really shouldn't be run without permission
of the target network.

While I don't think I'd want exploits running by default with -sC, I'd
like to have vulnerability checks included so that Nmap can tell you
if it sees a gaping hole.  And many admins don't like folks
vuln-checking their servers without permission.


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]