Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Script force
From: Djalal Harouni <tixxdz () opendz org>
Date: Thu, 1 Dec 2011 23:47:44 +0100

On Tue, Nov 29, 2011 at 03:11:32PM -0800, David Fifield wrote:
I've tested the patch and found it to do what it's supposed to when
listing script names by themselves. I also found some funny interaction
with the "and", "or", and "not" operators. Specifically, these operators
always change force to false, because they do not see the second return
value of the m function. But additionally, it's not clear what the
correct interaction even is.
I've updated the patch, the attached version supports all the following
tests.

Here are some test cases I tried:

script name                   dport   runs?
http-title                    -p22            no
+http-title                   -p22    yes
http-title,http-title         -p22            no
http-title,+http-title                -p22            no
+http-title,http-title                -p22            no
+http-title,+http-title               -p22    yes
http-title or http-title      -p22            no
http-title or +http-title     -p22            no
+http-title or http-title     -p22            no
+http-title or +http-title    -p22            no
All of them are supported.

Also, even supposing that the "or" would retain the force value, what
should happen in cases like this?
      http-title or +http-*
This is also supported, http-title will be loaded normally and all the
other scripts will be forced as suggested by Martin.

"http-title or +http-*":
Debug messages:
Fetchfile found /mnt/opensource/code/nmap/nmap-trunk/scripts/http-robtex-reverse-ip.nse
NSE: Script http-robtex-reverse-ip.nse was selected by name and forced to run.
Fetchfile found /mnt/opensource/code/nmap/nmap-trunk/scripts/http-title.nse
NSE: Script http-title.nse was selected by name.
Fetchfile found /mnt/opensource/code/nmap/nmap-trunk/scripts/http-trace.nse
NSE: Script http-trace.nse was selected by name and forced to run.
...

Should http-title be forced in this case? It seems like it would not be,
because "or" will short-circuit before reading "+http-*".
The attached patch takes another path, it will save all the forced
patterns in a special map, later we just check this table to see if the
current pattern is present or not, if it is then we force the script.

This way we avoid complex operations like: check if the script was
previously loaded and if it was forced or not: "http-title,+http-title".


The selection operation of "http-title or +http-*" will be:

1) check the forced flag:
   forced_rules["http-*"] = true

2) check the rules and load scripts:
   "http-title or +http-*" will short-circiut only for http-title, then
   we check 'forced_rules["http-title"] == nil' => do not force.

   For other scripts 'forced_rules["http-*"] = true' the force flag will
   be set.

   Note: the pattern (e.g. "http-*") is checked first then it is cleaned
   (escaped) to match script names.

3) Only a one instance of scripts is loaded, so http-title will not be
   forced.

I also tried
      +(default or vuln)
I didn't really expect it to work. This was the output:
      NSE: failed to initialize the script engine:
      [string "rule"]:1: attempt to call a boolean value
We can also support this but it will need more regexp checks, perhaps we
should just let users specify "+default or +vuln" as suggested by
Fyodor.

I'll try to have a look at this error.

I'm starting to think that it shouldn't be allowed to mix + with boolean
operators. In other words, only allow one script name or category name
between commas when a + is present. Otherwise show an error message.
Does this sound possible to implement? Do you have any other ideas?
I think that we can support the boolean operators, but I'm not sure,
perhaps I've missed some use cases, more tests are welcome.

Thanks.

-- 
tixxdz
http://opendz.org

Attachment: force_scripts_nse_main.lua_v1.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]