mailing list archives
Re: NSE console script help
From: David Fifield <david () bamsoftware com>
Date: Mon, 17 Jan 2011 13:12:18 -0800
On Mon, Jan 17, 2011 at 08:49:34PM +0100, Martin Holst Swende wrote:
Reposting this which I posted earlier (, ), perhaps with a bad
subject-line, since there was no response.
While I was fiddling with nse_main, I added another thing I have been
missing. I often don't really know what scripts are possible to run for
a particular service or port, and I don't always know what they do. So,
I added another script argument: "help". For all the scripts that would
have been run, it instead prints out info about the scripts.
I find it extremely useful, since there are a *lot* of script nowadays
and several in non-default categories which is a bit of a pain to find.
Example usage: nmap <host> --script=all --script-args help
- Would print out info about all scripts which can be used against the
Example usage: nmap localhost -p80 --script=intrusive,vuln
- In the intrusive category, I like to read up on what the script does
before using it and not just fire away.
nmap google.com -p80 -sC --script-args help
NSE: ------------- Script help -------------
Finds out what options are supported by an HTTP server by sending an
OPTIONS request. Lists potentially risky methods. Optionally tests each
method individually to see if they are subject to e.g. IP address
In this script, "potentially risky" methods are anything except GET,
HEAD, POST, and OPTIONS. If the script reports potentially risky
methods, they may not all be security risks, but you should check to
make sure. This page lists the dangers of some common methods:
The list of supported methods comes from the contents of the Allow and
Public header fields. In verbose mode, a list of all methods is printed,
followed by the list of potentially risky methods. Without verbose mode,
only the potentially risky methods are shown.
Kirubakaran and I proposed a similar option --script-list last summer.
It was designed to allow Zenmap (and users) find out what scripts will
be run given a certain specification. The idea didn't catch on, but if
this help output will be machine-readable, we'll use that in Zenmap
instead of the script-scraping technique we use now.
Doing this as a script argument doesn't feel right. Do prerule scripts
still run, even if you don't provide any targets? For example with
"nmap --script=discovery --script-args help". I just checked, and
Zenmap's trick of running "nmap -d2" does run those scripts,
unfortunately. It would be nice to have a separate mode (kind of like
--iflist) that would be easier to clear of side effects.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/