Date: Thu, 14 Jun 2012 07:19:03 -0700
From: david () bamsoftware com
To: kingthorin () hotmail com
CC: nmap-dev () insecure org
Subject: Re: NSE Categorization Question(s)
On Thu, Jun 14, 2012 at 09:22:56AM -0400, King Thorin wrote:
So looking at ssl-enum-ciphers got me thinking. This script is in the
discovery, and intrusive categories. Why isn't it "safe"? Which lead
to "how do we (the list, Fyodor, etc) describe the categories?"
These are scripts that cannot be classified in the
safe category because the risks are too
high that they will crash the target system, use up
significant resources on the target host (such as
bandwidth or CPU time), or otherwise be perceived as
malicious by the target's system administrators."
How was it determined that ssl-enum-ciphers is going to down a system
or load it too heavily while ssh2-enum-algos won't? Though
ssh2-enum-algos isn't safe, it's also not listed as intrusive. They're
both listed as discovery.
It's because ssh2-enum-algos gets its entire output from the server in
one connection, which ssl-enum-ciphers must make a few hundred
connections, one for each possible algorithm. Although their output is
similar, they work differently. Just try them yourself and you'll see
that one is much faster than the other.
Also this just occurred to me while writing this up. Is there
currently a mechanism (switch/option, similar to -sL -n) to have nmap
lists scripts and categories which will be run? i.e. if you do some
complicated type of script selection
(http://nmap.org/book/nse-usage.html#nse-script-selection), such as
the "nmap --script "(default or safe or intrusive) and not http-*""
example could nmap list what scripts will be run and their
categorization details without actually running?
Use the --script-help option.
nmap --script-help "(default or safe or intrusive) and not http-*"