Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Output|Input pipe and forcing script run
From: Ron <ron () skullsecurity net>
Date: Wed, 15 Jun 2011 17:09:50 -0500

On Sat, 30 Apr 2011 00:53:22 -0700 David Fifield <david () bamsoftware com> wrote:
I want to reopen discussion about forcing a script to run. I tried
this patch and it works as I expect. The problem I see is that there
are easy ways to accidentally and confusingly use it.

nmap --script-args force -d2 localhost -sC -F

This is going to run every default script against every open port:


I think that a global "force" option only makes sense if 1) you are
narrowly targeting a list of ports and 2) you are narrowly limiting
the set of scripts. Can we think of a way to make this work naturally
without strange cases like the above?

My first thought is that you usually only want one or a few scripts to
be forced. So what if we invent a new syntax that allows applying the
force script to one script only? I don't think this is a good syntax,
but it will illustrate what I mean:

nmap www.google.com -p80 --script force:firewalk

This is no more typing in the (expected) case when only one script is
used. It would be possible to run one script forced and one
non-forced, though I don't have a realistic use case for that.

David Fifield

I realize that I'm a couple months late to the party, but I'm trying to catch up on lists again and wanted to comment. 

Anyway, here's a use case that I think we should look at targeting: I'm running Zenmap, and I discover a SMB server on 
the network. I want to run smb-os-discovery. I do, and get the results. Then I decide to run smb-enum-users. And maybe 
some others. Then I move to the FTP port and run ftp-brute.nse, using the list of usernames I got from SMB. It gets a 
password, and I run to run ftp-list-files or whatever.  

With the current version of Nmap, I need to do a new scan every time. Even if it's just the one port, it means I have 
to re-configure the scanner to just scan 445 now. Additionally, the registry would need to be persisted for this to 
work, but that's another problem. 

It'd be really nice if there was an interactive script mode where I can try the scripts one by one, and not have to 
re-run the full or partial scan for each one. 

Any thoughts about that? 

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]