Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] Default NSE Scripts
From: "Kris Katterjohn" <katterjohn () gmail com>
Date: Sat, 10 May 2008 23:53:38 +0530

On 5/10/08, Fyodor <fyodor () insecure org> wrote:
On Sat, May 10, 2008 at 03:53:43AM +0000, Brandon Enright wrote:

A few comments about your list below.

Thanks Brandon, this is useful stuff!

Indeed--thanks, Brandon!

* mswindowsShell - "backdoor"

Hmm, I'm not sure why this script even exists.  In my experience,
Windows shells are rarely on port 8888, 4444 and 44444 are much more
common.  Also, the script doesn't do anything that the -sV NULL probe
can't match.  This script should probably be demo only.

Good point.  In fact, we already have such a version detection probe:

match winshell m/^Microsoft Windows ((2000)|(XP)|(NT 4\.0)) \[Version ([\d.]+)\]\r\n\(C\) Copyright 1985-20\d\d 
Microsoft Corp\.\r\n\r\n/ p/Microsoft Windows $1 $5 cmd.exe/ o/Windows/ i/**BACKDOOR**/

Removing this script sounds like the way to go, though making it
demo-only is a reasonable alternative.

I'll put the script in "demo" when I start back working probably later
tonight (or remove it all together if desired).

* RealVNC_auth_bypass - "backdoor"

This script should be in the default category.  It is no more harmful
than the SSHv1 test.  It doesn't exploit and buffer or anything else of
that nature.  It also doesn't complete the login sequence like the
anonFTP script.  It simply checks to see if the VNC server supports the
NULL authentication option.

Sounds like a good argument to me.

Sounds good to me, too.  I'll add that to the default list.


Kris Katterjohn

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]