Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Special characters in script-args
From: Patrick Donnelly <batrick () batbytes com>
Date: Fri, 15 May 2009 18:56:23 -0600

Hello Ron,

On Fri, May 15, 2009 at 1:06 PM, Ron <ron () skullsecurity net> wrote:
Hi all,

I posted this to the #nmap channel a few days ago, but I wasn't around to
see if there was an answer. So I figured I'd ask it here.

If a --script-arg contains a special characters, such as a colon, parsing
the arguments will fail with a cryptic error. So if somebody is trying to
use a hash to log in, and passes this string, it'll fail:
 --script-args=smbuser=admin,smbhash=abc123:abc123

Similarily if a user gives the password on the commandline, like this, it'll
fail:
 --script-args=smbuser=admin,smbpass=pass^word

The solution that I use is to pass escaped quotes, like
smbpass=\"pass^word\", but I don't expect that an ordinary user would know
to do that (or understand the Lua stackdump when they don't). Is there
something we can do to make this easier?

(Sorry if this came up in an earlier discussion -- I haven't had a home
Internet connection for awhile, so I haven't been following bigger threads)

We have been discussing this in [1]. I have a tentative patch [2] that
tries to solve all of these problems. I encourage you to give the
patch a try and report how it worked for you.

[1] http://seclists.org/nmap-dev/2009/q2/0204.html
[2] http://seclists.org/nmap-dev/2009/q2/0380.html


-- 
-Patrick Donnelly

"Let all men know thee, but no man know thee thoroughly: Men freely
ford that see the shallows."

- Benjamin Franklin

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault