Nmap Development mailing list archives
Re: NSE console script help
From: Martin Holst Swende <martin () swende se>
Date: Mon, 17 Jan 2011 22:49:32 +0100
On 01/17/2011 10:12 PM, David Fifield wrote:
On Mon, Jan 17, 2011 at 08:49:34PM +0100, Martin Holst Swende wrote:Hi, Reposting this which I posted earlier ([1], [2]), perhaps with a bad subject-line, since there was no response. While I was fiddling with nse_main, I added another thing I have been missing. I often don't really know what scripts are possible to run for a particular service or port, and I don't always know what they do. So, I added another script argument: "help". For all the scripts that would have been run, it instead prints out info about the scripts. I find it extremely useful, since there are a *lot* of script nowadays and several in non-default categories which is a bit of a pain to find. Example usage: nmap <host> --script=all --script-args help - Would print out info about all scripts which can be used against the target. Example usage: nmap localhost -p80 --script=intrusive,vuln --script-args=help - In the intrusive category, I like to read up on what the script does before using it and not just fire away. nmap google.com -p80 -sC --script-args help ... NSE: ------------- Script help ------------- http-methods.nse Categories default safe Description Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. Optionally tests each method individually to see if they are subject to e.g. IP address restrictions. In this script, "potentially risky" methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure. This page lists the dangers of some common methods: http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29 The list of supported methods comes from the contents of the Allow and Public header fields. In verbose mode, a list of all methods is printed, followed by the list of potentially risky methods. Without verbose mode, only the potentially risky methods are shown.Kirubakaran and I proposed a similar option --script-list last summer. It was designed to allow Zenmap (and users) find out what scripts will be run given a certain specification. The idea didn't catch on, but if this help output will be machine-readable, we'll use that in Zenmap instead of the script-scraping technique we use now.
This uses the info which can be reached from Lua, i.e, the description, basename and categories. Unfortunately, no info about script-parameters can be attained (which was also up for discussions quite some time ago). It should be machine-readable (?). Current output implementation uses stdnse.format_output plus some tab-padding of linebreaks : http://martin.swende.se/hgwebdir.cgi/nsescripts/rev/8f25f54aa7ad
http://seclists.org/nmap-dev/2010/q3/0 Doing this as a script argument doesn't feel right.
Agree, it wound up there because it was the simplest thing to do.
Do prerule scripts still run, even if you don't provide any targets? For example with "nmap --script=discovery --script-args help". I just checked, and Zenmap's trick of running "nmap -d2" does run those scripts, unfortunately. It would be nice to have a separate mode (kind of like --iflist) that would be easier to clear of side effects.
I am not sure if I understand the question correctly, but nope, nothing runs, help-argument only displays help instead of running it : martin@linovox:~$ nmap --script=discovery --script-args help Starting Nmap 5.36TEST1 ( http://nmap.org ) at 2011-01-17 22:14 CET NSE: ------------- Script help ------------- broadcast-dns-service-discovery.nse Categories discovery safe Description Attempts to discover a hosts services using the DNS Service Discovery protocol. It does so by sending a multicast query and collects responses from all responding hosts. The script first sends a query for _services._dns-sd._udp.local to get a list of services. It then sends a followup query for each one to try to get more information. NSE: ------------- Script help ------------- broadcast-upnp-info.nse Categories discovery safe Description Attempts to extract system information from the UPnP service by running a multicast query. NSE: ------------- Script help ------------- broadcast-wsdd-discover.nse Categories safe discovery Description Discovers devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later). NSE: ------------- Script help ------------- db2-discover.nse Categories safe discovery Description Attempts to discover DB2 servers on the network using UDP. NSE: ------------- Script help ------------- ms-sql-info.nse Categories default discovery intrusive Description Attempts to extract information from Microsoft SQL Server instances. NSE: ------------- Script help ------------- snmp-interfaces.nse Categories default discovery safe Description Attempts to enumerate network interfaces through SNMP. This script can also be run during Nmap's pre-scanning phase and can attempt to add the SNMP server's interface addresses to the target list. The script argument <code>snmp-interfaces.host</code> is required to know what host to probe. To specify a port for the SNMP server other than 161, use <code>snmp-interfaces.port</code>. When run in this way, the script's output tells how many new targets were successfully added. WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 0.12 seconds
David Fifield
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE console script help Martin Holst Swende (Jan 17)
- Re: NSE console script help Arturo 'Buanzo' Busleiman (Jan 17)
- RE: NSE console script help Drazen Popovic (Jan 17)
- Re: NSE console script help David Fifield (Jan 17)
- Re: NSE console script help Martin Holst Swende (Jan 17)
- Re: NSE console script help Fyodor (Jan 18)
- Re: NSE console script help Martin Holst Swende (Jan 18)
- Re: NSE console script help Patrick Donnelly (Jan 18)
- Re: NSE console script help Martin Holst Swende (Jan 18)
- Re: NSE console script help Fyodor (Jan 18)
- Re: NSE console script help Kris Katterjohn (Jan 18)
- Re: NSE console script help Martin Holst Swende (Jan 21)
- Re: NSE console script help Fyodor (Jan 24)
- Re: NSE console script help Martin Holst Swende (Jan 18)
- Re: NSE console script help David Fifield (Jan 26)