mailing list archives
Re: [RFC] Default NSE Scripts
From: "Kris Katterjohn" <katterjohn () gmail com>
Date: Sat, 10 May 2008 23:53:38 +0530
On 5/10/08, Fyodor <fyodor () insecure org> wrote:
On Sat, May 10, 2008 at 03:53:43AM +0000, Brandon Enright wrote:
A few comments about your list below.
Thanks Brandon, this is useful stuff!
* mswindowsShell - "backdoor"
Hmm, I'm not sure why this script even exists. In my experience,
Windows shells are rarely on port 8888, 4444 and 44444 are much more
common. Also, the script doesn't do anything that the -sV NULL probe
can't match. This script should probably be demo only.
Good point. In fact, we already have such a version detection probe:
match winshell m/^Microsoft Windows ((2000)|(XP)|(NT 4\.0)) \[Version ([\d.]+)\]\r\n\(C\) Copyright 1985-20\d\d
Microsoft Corp\.\r\n\r\n/ p/Microsoft Windows $1 $5 cmd.exe/ o/Windows/ i/**BACKDOOR**/
Removing this script sounds like the way to go, though making it
demo-only is a reasonable alternative.
I'll put the script in "demo" when I start back working probably later
tonight (or remove it all together if desired).
* RealVNC_auth_bypass - "backdoor"
This script should be in the default category. It is no more harmful
than the SSHv1 test. It doesn't exploit and buffer or anything else of
that nature. It also doesn't complete the login sequence like the
anonFTP script. It simply checks to see if the VNC server supports the
NULL authentication option.
Sounds like a good argument to me.
Sounds good to me, too. I'll add that to the default list.
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org
Re: [RFC] Default NSE Scripts jah (May 10)
Re: [RFC] Default NSE Scripts Diman Todorov (May 11)
Re: [RFC] Default NSE Scripts Fyodor (May 12)