Home page logo

nmap-dev logo Nmap Development mailing list archives

RE: NSE Categorization Question(s)
From: King Thorin <kingthorin () hotmail com>
Date: Thu, 14 Jun 2012 10:39:35 -0400

Thanks Dave. I was comparing the two script simply based on their descriptions.

Thanks for the --script-help idea, it's close but a little too verbose. I was thinking more along the lines of:

http-wordpress-brute Categories: intrusive brute
http-wordpress-enum Categories: auth intrusive vuln
http-wordpress-plugins Categories: discovery intrusive

I suppose I can probably get there with some kind of grep/awk/sed kung'fu

Date: Thu, 14 Jun 2012 07:19:03 -0700
From: david () bamsoftware com
To: kingthorin () hotmail com
CC: nmap-dev () insecure org
Subject: Re: NSE Categorization Question(s)

On Thu, Jun 14, 2012 at 09:22:56AM -0400, King Thorin wrote:

So looking at ssl-enum-ciphers got me thinking. This script is in the
discovery, and intrusive categories. Why isn't it "safe"? Which lead
to "how do we (the list, Fyodor, etc) describe the categories?"

          These are scripts that cannot be classified in the
            safe category because the risks are too
            high that they will crash the target system, use up
            significant resources on the target host (such as
            bandwidth or CPU time), or otherwise be perceived as
            malicious by the target's system administrators."

How was it determined that ssl-enum-ciphers is going to down a system
or load it too heavily while ssh2-enum-algos won't? Though
ssh2-enum-algos isn't safe, it's also not listed as intrusive. They're
both listed as discovery. 

It's because ssh2-enum-algos gets its entire output from the server in
one connection, which ssl-enum-ciphers must make a few hundred
connections, one for each possible algorithm. Although their output is
similar, they work differently. Just try them yourself and you'll see
that one is much faster than the other.

Also this just occurred to me while writing this up. Is there
currently a mechanism (switch/option, similar to -sL -n) to have nmap
lists scripts and categories which will be run? i.e. if you do some
complicated type of script selection
(http://nmap.org/book/nse-usage.html#nse-script-selection), such as
the "nmap --script "(default or safe or intrusive) and not http-*""
example could nmap list what scripts will be run and their
categorization details without actually running? 

Use the --script-help option.

nmap --script-help "(default or safe or intrusive) and not http-*"

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]