Nmap Development mailing list archives

Re: [RFC] Default NSE Scripts

From: Fyodor <fyodor () insecure org>
Date: Fri, 9 May 2008 21:08:57 -0700

On Sat, May 10, 2008 at 03:53:43AM +0000, Brandon Enright wrote:


A few comments about your list below.


Thanks Brandon, this is useful stuff!

* anonFTP


This logs into the FTP server.  It may be hard to argue that port
scanning is a crime but it's easy to argue that under the right
circumstances, logging into a FTP server is unauthorized access.


Since the point of anonymous FTP is to allow unauthenticated access,
it would be pretty lame to argue that it is unauthorized access, IMHO.
If you don't want to allow the public acccess, use a
username/password.  Some search engines index anonymous ftp content.

But at the same time, I don't think people should assume that doing a
default script scan against some target machine/network without
permission is OK.  The scripts in general are much more intrusive than
a simple port scan, as you've noted.  Currently, the default is to run
scripts in the "intrusive" category (as well as "safe").

Still, we don't want anything too dangerous running as default.  A
metasploit-style exploitation script is no-go, for example.

* mswindowsShell - "backdoor"


Hmm, I'm not sure why this script even exists.  In my experience,
Windows shells are rarely on port 8888, 4444 and 44444 are much more
common.  Also, the script doesn't do anything that the -sV NULL probe
can't match.  This script should probably be demo only.


Good point.  In fact, we already have such a version detection probe:

match winshell m/^Microsoft Windows ((2000)|(XP)|(NT 4\.0)) \[Version ([\d.]+)\]\r\n\(C\) Copyright 1985-20\d\d 
Microsoft Corp\.\r\n\r\n/ p/Microsoft Windows $1 $5 cmd.exe/ o/Windows/ i/**BACKDOOR**/

Removing this script sounds like the way to go, though making it
demo-only is a reasonable alternative.

* RealVNC_auth_bypass - "backdoor"


This script should be in the default category.  It is no more harmful
than the SSHv1 test.  It doesn't exploit and buffer or anything else of
that nature.  It also doesn't complete the login sequence like the
anonFTP script.  It simply checks to see if the VNC server supports the
NULL authentication option.


Sounds like a good argument to me.

* skype_v2-version - "version"


This script needs to be adjusted to be less conservative.  I'll test
and submit a patch.


Great!

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[RFC] Default NSE Scripts Kris Katterjohn (May 09)
- Re: [RFC] Default NSE Scripts Fyodor (May 09)
- Re: [RFC] Default NSE Scripts Brandon Enright (May 09)
  - Re: [RFC] Default NSE Scripts Fyodor (May 09)
    - Re: [RFC] Default NSE Scripts Brandon Enright (May 09)
    - Re: [RFC] Default NSE Scripts Fyodor (May 09)
    - Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
    - Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
    - Re: [RFC] Default NSE Scripts Fyodor (May 10)
- Re: [RFC] Default NSE Scripts jah (May 10)
  - Re: [RFC] Default NSE Scripts Kris Katterjohn (May 10)
    - Re: [RFC] Default NSE Scripts Daniel Roethlisberger (May 12)
    - Re: [RFC] Default NSE Scripts Arturo 'Buanzo' Busleiman (May 12)
    - Re: [RFC] Default NSE Scripts Fyodor (May 12)

(Thread continues...)