Closed r3k2 closed 5 years ago
@ReK2Fernandez thanks for reaching out.
I am not running into this issue with the latest code. Can you run my below example which is a modified basic_scan.go copy from the examples folder.
import (
"context"
"fmt"
"log"
"strings"
"time"
"github.com/Ullaakut/nmap"
)
func main() {
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
defer cancel()
scanner, err := nmap.NewScanner(
nmap.WithTargets("example.com"),
nmap.WithPorts("80,443,843"),
nmap.WithContext(ctx),
nmap.WithDefaultScript(),
)
if err != nil {
log.Fatalf("unable to create nmap scanner: %v", err)
}
result, err := scanner.Run()
if err != nil {
log.Fatalf("unable to run nmap scan: %v", err)
}
// Use the results to print an example output
for _, host := range result.Hosts {
if len(host.Ports) == 0 || len(host.Addresses) == 0 {
continue
}
fmt.Printf("Host %q:\n", host.Addresses[0])
for _, port := range host.Ports {
fmt.Printf("\tPort %d/%s %s %s\n", port.ID, port.Protocol, port.State, port.Service.Name)
fmt.Printf("\t\t[ SCRIPT OUTPUT ]\n")
for _, script := range port.Scripts {
fmt.Printf("\t\t%s\n", strings.Replace(script.Output, "\n", "\n\t\t\t", -1))
}
fmt.Printf("\t\t[ SCRIPT END ]\n")
}
}
fmt.Printf("Nmap done: %d hosts up scanned in %.2f seconds\n", len(result.Hosts), result.Stats.Finished.Elapsed)
}
Not classifying this as a bug for now, but I'll keep track of the issue and update the labels accordingly :)
@Ullaakut on my test and yours works if I indicate which script like:
nmap.WithScripts("http-methods"),
but not with the default flag. maybe there is just nothing to output..
That is interesting, as http-methods is a default scan and should return results if nmap.WithScripts("http-methods"),
Let me look into this.
@ReK2Fernandez this appears to be an nmap concern. See below.
NMAP pulls default scripts from the scripts.db file located in the folder where all nse files reside. Here is a sample from that file that shows http-methods is include as a default script to run when default scripts are called.
Entry { filename = "http-default-accounts.nse", categories = { "auth", "discovery", "intrusive", } }
Entry { filename = "http-favicon.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-generator.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-git.nse", categories = { "default", "safe", "vuln", } }
Entry { filename = "http-ls.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-methods.nse", categories = { "default", "safe", } }
Entry { filename = "http-ntlm-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery", "external", "safe", } }
Entry { filename = "http-robots.txt.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-svn-enum.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-svn-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-title.nse", categories = { "default", "discovery", "safe", } }
However when running the two commands from nmap directly, they produce two different results.
Command: nmap --script http-methods -p443 example.com
Results:
nmap example.com -p443 --script http-methods
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-04 12:38 EDT
Nmap scan report for example.com (93.184.216.34)
Host is up (0.015s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c8:1946
PORT STATE SERVICE
443/tcp open https
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
Command: nmap --script default -p443 example.com
Results:
nmap example.com -p443 --script default
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-04 12:38 EDT
Nmap scan report for example.com (93.184.216.34)
Host is up (0.014s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c8:1946
PORT STATE SERVICE
443/tcp open https
|_http-title: Example Domain
| ssl-cert: Subject: commonName=www.example.org/organizationName=Internet Corporation for Assigned Names and Numbers/stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:www.example.org, DNS:example.com, DNS:example.edu, DNS:example.net, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net
| Not valid before: 2018-11-28T00:00:00
|_Not valid after: 2020-12-02T12:00:00
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| h2
|_ http/1.1
| tls-nextprotoneg:
| h2
| http/1.1
|_ http/1.0
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
As it appears either this is how nmap is meant to function or there is a issue with nmap not executing all default scripts.
Confirmed throttling issues. Try using the following option.
nmap.WithTimingTemplate(nmap.TimingSneaky)
Issued opened at https://github.com/nmap/nmap/issues/1724 for clarification on if this is intended or not.
@TheSecEng @Ullaakut hello sorry was out and i'm on CEST time zone, I have confirmed on my own most of the things you guys are rasing up here, actually was going to update with some of them but since you guys already figure them out, I will not double post. Thanks for looking into this, will try with the timing template.
No worries!
@Ullaakut this can be closed now. As this is just timing issues and not related to the Nmap library
Thanks for your help @TheSecEng ! 🎉
And @ReK2Fernandez don't hesitate to let us know if you find any other issue :) thanks for using the package!
Hello.
I can get all methods from port.* etc but cant see to get the output of the Script. example:
trying to get the script.Output from the scripts slice. Im sure im doing something wrong.