Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: GSoC: NSE script developer
From: David Fifield <david () bamsoftware com>
Date: Tue, 22 Mar 2011 18:00:33 -0700

On Tue, Mar 22, 2011 at 12:40:54PM +0100, Hani Benhabiles wrote:

I'm Hani "kroosec" Benhabiles, a student from Algeria.

I'm interested by the NSE—Script Developer position and I would like
to apply for the web scanning specialist one as it's where I see
myself shining the most (I was planning to work on w3af
and began studying the code but they didn't get accepted for GSoC.)

Hi Hani! Thanks for introducing yourself. Here are good general links
about Nmap in the Summer of Code:

I do have some questions/remarks however:

- How should I approach Nmap web scanning ?
Will I've to focus on a certain area ? like Information gathering (seems the
most logical to me),
Vulnerability discovery or exploiting vulnerabilities.

We're looking to add a large number of scripts to increase Nmap's web
scanning abilities. Web scanning is such a big topic that I'm sure you
can find plenty of variety within it.

- How will the scripts to be written be chosen ? Will it be the mentor who
chooses them,
community feedback, defined lists (like working on OWASP's Top 10 for
vulnerability discovery)
or will I be free to choose what I work on (and justify it of course.)

You and your mentor will work together with the members of the mailing
list to decide what scripts to write. In your proposal, though, you
should have a few specific ideas of scripts that you will write. One of
the thinkgs we're looking for is the ability to come up with creative
new ideas.

- How will the script developers collaborate ? Will they have the same
mentor who will be in charge of workload balancing or will they directly do
I would enjoy working with other students on other specialties.

In years past we have had weekly IRC meetings among the NSE students and
other interested developers. You raise a good point about NSE students
working together.

- I do have some issues defining the time line for this project. Should I
base it on the number
of scripts and libraries written or will it be something else ?

You're right, that's hard to define. Number of scripts is a reasonable
metric. Of course everyone understands that some scripts are harder to
write than others. I think this year we are focusing more on new
capabilities rather than core infrastructure code.

While studying the NSE internals, I've written a simple script that grabs
Google Analytics
and Adsense IDs of a website.
These could be used to further find websites with the same owner.
I would be glad if they are added to NSE scripts or at least if I'm given
some input and tips on
anything that I've overlooked or I could improve.

I'm going to let replies about the script go in a separate thread.

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]