Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] Default NSE Scripts
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sat, 10 May 2008 17:02:06 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Jah, thanks for the detailed comments!

jah wrote:
On 09/05/2008 23:17, Kris Katterjohn wrote:
Instead of NSE running "safe" and "intrusive" scripts by default, I'm
creating a "default" category for this purpose.  This is important
because there are some safe and intrusive scripts that you wouldn't want
run by default (e.g. an obscure safe script or a slow intrusive script).
Definitely a good idea, but your list for Default includes scripts that
were never in Safe or Intrusive to begin with so I assume you're looking
at any script for possible inclusion in the default category.  (Also,

That's my plan.  It shouldn't matter which category it is in as long as
it is "good enough" to be in default (I'll try to discuss this in more
detail below).

UPnP-info seems to have gone AWOL).

D'oh!  Indeed it has.  Sorry about that!

1) Quick
How to measure this?  The only script I would call slow is bruteTelnet
which is "Vulnerability".

I suppose I should've just said "not slow" rather than the even less
precise "quick".  Since this is all subjective, I would say that if a
script takes a very noticeably longer time than other "quick" scripts
then it probably shouldn't be in default, or if a script has a
noticeable effect on the overall scan's time.

2) Generally Useful
I reckon this is pretty subjective and I'd argue that it depends on the
purpose of a given scan and the environment of the target.

Well, by "generally useful" I mean that quite a bit of people will find
it useful.  It produces interesting output for a protocol/service that's
not obscure so that it is /generally/ useful.

Take SNMPsysdesr, for example.  It won't run on /every/ scan, but when
it does run it produces (what I think to be) interesting output.  SNMP
is an example of a protocol that a lot of people recognize and will be
interested in.

3) Not too intrusive
How to measure this?  It could be "the likelihood of being logged" is a
good measure, but that would be somewhat dependant on the target
environment.  Brute forcing is obviously very intrusive because it's
likely to be logged and there's multiple events from the same source in
a short space of time, but otherwise, what constitutes "too intrusive"?

I would say anything that can be perceived as truly unlawful, seen as a
"real hacking attempt", does an excessive amount of probing, etc.

Good examples are bruteTelnet and SQLInject.


Unfortunately, these three are all subjective.  Especially #2.

Default:

* dns-test-open-recursion - Is this useful enough?
This is sometimes very useful, but is recursion found often enough to
warrant running what is, I think, an intrusive script?

Good question.  I actually meant to ask "Is this useful often enough"
because I don't know how frequent it is.

* finger
Isn't finger a bit obscure now?

It is, but I see finger running often enough that I think it's a good
default (though it's not terribly popular either).

* HTTPAuth - Is this too intrusive?
It is intrusive, but it's always been run by default in the past, so why
not?  But then again, it's not very often that it finds such weak
security, so what's the point?

Well, it does print more information than just possible successful
logins.  One useful thing is that is tells that the server actually
requires authentication, and also things like the authentication type.

* ripeQuery
This is a safe script with regard to the target, but RIPE might think it
less so.  Especially as it would query RIPE for every target regardless
of whether the target is in RIPE's allocation.  I think it should stay
in discovery.

This is a script I kept switching between the lists.  I think you may be
right in that it's not be default material.  Anybody else want to chime
in on this one?

+ UPnP-info

I think so too.

Not Default:

* HTTPpasswd - A bit too intrusive and probably not useful enough
I can't see that there's much difference between this and HTTPAuth in
terms of usefulness and intrusiveness.

Again, HTTPAuth does print more than information obtained from
intrusiveness.

* mswindowsShell - "backdoor"
My vote is to ditch it too.

Done.

* SMTPcommands - I want this to be default, but it usually has a lot of
output
This is currently run by default and I don't think the quantity of
output should be grounds for omission if it's perceived to be useful.

Good point, but I just don't think that a default script should produce
a large amount of output like this one tends to.

Does anyone have an opinion on this?

* SSLv2-support - Produces quite a bit of output, and doesn't seem
useful enough for default
I think this is quite useful and should remain default, but agree that
the output is often more than required - perhaps it could be improved
with nmap.verbosity().

I think that with an nmap.verbosity() change it may be good for default.

* zoneTrans - Just doesn't seem like default material IMO
I think the argument for this is similar to the one for
dns-test-open-recursion.


I don't know from experience, but looking at Wikipedia makes me think
that it's not frequent enough.


Now in principle, I think it's a good idea to revisit the scripts that
run by default, but perhaps some firm decision should be made about the
level of intrusiveness permitted in a default scan, offset by the
possible benefits.  In order to do that, there'd have to be some method
for measuring levels of intrusiveness.  Not that I'm knocking the effort
being made in this regard, not at all, but I think it's kind of skimming
over a topic that probably needs looking at more deeply.
I think a complete review of the Category system is due and I'd like to
see some kind of Metrics system applied to scripts so that they can be
selected based of degrees of intrusiveness and on degrees of
usefulness.  Usefulness is rather too subjective, so perhaps benefits
should be measured in probabilities of revealing meaningful information.

If we could construct a method whereby a user can select scripts based
on degrees of a various attributes they might themselves be able to
decide upon the usefulness of a script or how intrusive/fast/deep
they're willing to be.


Interesting! :)

Best,
jah


Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSCYbXP9K37xXYl36AQLfDQ/+KYFfywVF8ZpesQhQ80HZopQQ+0sWULaS
nS74ynPf2Ltmbj7JsCHUN9eXqt3Zhf60XhM0djp/59M3qNF2Ygr4wFyWzb5mffcW
dSCBcjscLb0A4+YsDKvaLrhiSU+kZcyuSU24MR93vIVNQLrIMh85W30wOLjGy+1v
W53uAiyDmaKy2ARGsXCrZOm9lmBaBAKRePqrD5NQoqWwoKli5amiU5rhYG5FryOk
sRIRJT/KVN3gd5M91r9qT1JBu5i3yC8JmbudZ6sKgpAI+KLr7NiXb9qrT7zx+8Mt
FvehvrJ8kFejampdwbGVllxvzckBq3lDMKtqfqsp5HEbZhhbWwi4xK7zMWRX8P8m
lDdtacECdNwqqYafYUwwFs97nUVetq7AnQbPc8UwL7xOfNiM9Kl9kCheah4rmTc8
BI8+xt6waLbuHxCSuVQO7w2PilUDmqaE/P4OfMNCZLYu3PDhlMtDEEwCA/8JzFSl
MBVT/uVD0kOPMXA/K800w7RNulc0mO1qdEK62R6KjJycmZiitfKqQI+9ibfNrZ81
F7P9MJPmziLqzGd9IO8jfX5HXmFeHps+2kboKZ1bUSVutQ090LBHzg2e+5mne/XF
R9XKtFe1aC4ZvcRHsoTn5NtRH2PirKwAmEo2bLysi0uSBzX9AhB9N9O4OoOTRYua
w35hl0GgsEg=
=Z2g9
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]