search

Ullaakut / nmap

Idiomatic nmap library for go developers
MIT License
931 stars 103 forks source link

Can't see to get the output of default script. #27

Closed r3k2 closed 5 years ago

r3k2 commented 5 years ago

Hello.

nmap.WithDefaultScript()

I can get all methods from port.* etc but cant see to get the output of the Script. example:

for _, host := range result.Hosts {
                fmt.Printf("Host %s\n", host.Addresses[0])

                for _, port := range host.Ports {
                        fmt.Printf("\tPort %d/%s %s %s %s %s %s\n", port.ID, port.Protocol, port.State, port.Service.Name, port.Service.Product, port.Service.Version, port.Service.ExtraInfo)

                        for _, script := range port.Scripts {
                                fmt.Printf("%s", script.Output)
                        }
                }
        }

trying to get the script.Output from the scripts slice. Im sure im doing something wrong.

TerminalFi commented 5 years ago

@ReK2Fernandez thanks for reaching out.

I am not running into this issue with the latest code. Can you run my below example which is a modified basic_scan.go copy from the examples folder.

import (
    "context"
    "fmt"
    "log"
    "strings"
    "time"

    "github.com/Ullaakut/nmap"
)

func main() {
    ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
    defer cancel()

    scanner, err := nmap.NewScanner(
        nmap.WithTargets("example.com"),
        nmap.WithPorts("80,443,843"),
        nmap.WithContext(ctx),
        nmap.WithDefaultScript(),
    )
    if err != nil {
        log.Fatalf("unable to create nmap scanner: %v", err)
    }

    result, err := scanner.Run()
    if err != nil {
        log.Fatalf("unable to run nmap scan: %v", err)
    }

    // Use the results to print an example output
    for _, host := range result.Hosts {
        if len(host.Ports) == 0 || len(host.Addresses) == 0 {
            continue
        }

        fmt.Printf("Host %q:\n", host.Addresses[0])

        for _, port := range host.Ports {
            fmt.Printf("\tPort %d/%s %s %s\n", port.ID, port.Protocol, port.State, port.Service.Name)
            fmt.Printf("\t\t[ SCRIPT OUTPUT ]\n")
            for _, script := range port.Scripts {
                fmt.Printf("\t\t%s\n", strings.Replace(script.Output, "\n", "\n\t\t\t", -1))
            }
            fmt.Printf("\t\t[ SCRIPT END ]\n")
        }
    }

    fmt.Printf("Nmap done: %d hosts up scanned in %.2f seconds\n", len(result.Hosts), result.Stats.Finished.Elapsed)
}
Ullaakut commented 5 years ago

Not classifying this as a bug for now, but I'll keep track of the issue and update the labels accordingly :)

r3k2 commented 5 years ago

@Ullaakut on my test and yours works if I indicate which script like:

nmap.WithScripts("http-methods"),

but not with the default flag. maybe there is just nothing to output..

TerminalFi commented 5 years ago

That is interesting, as http-methods is a default scan and should return results if nmap.WithScripts("http-methods"),

Let me look into this.

TerminalFi commented 5 years ago

@ReK2Fernandez this appears to be an nmap concern. See below.

NMAP pulls default scripts from the scripts.db file located in the folder where all nse files reside. Here is a sample from that file that shows http-methods is include as a default script to run when default scripts are called.

Entry { filename = "http-default-accounts.nse", categories = { "auth", "discovery", "intrusive", } }
Entry { filename = "http-favicon.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-generator.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-git.nse", categories = { "default", "safe", "vuln", } }
Entry { filename = "http-ls.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-methods.nse", categories = { "default", "safe", } }
Entry { filename = "http-ntlm-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery", "external", "safe", } }
Entry { filename = "http-robots.txt.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-svn-enum.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-svn-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-title.nse", categories = { "default", "discovery", "safe", } }

However when running the two commands from nmap directly, they produce two different results.

Command: nmap --script http-methods -p443 example.com Results:

nmap example.com -p443 --script http-methods
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-04 12:38 EDT
Nmap scan report for example.com (93.184.216.34)
Host is up (0.015s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c8:1946

PORT    STATE SERVICE
443/tcp open  https
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST

Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Command: nmap --script default -p443 example.com Results:

nmap example.com -p443 --script default
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-04 12:38 EDT
Nmap scan report for example.com (93.184.216.34)
Host is up (0.014s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c8:1946

PORT    STATE SERVICE
443/tcp open  https
|_http-title: Example Domain
| ssl-cert: Subject: commonName=www.example.org/organizationName=Internet Corporation for Assigned Names and Numbers/stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:www.example.org, DNS:example.com, DNS:example.edu, DNS:example.net, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net
| Not valid before: 2018-11-28T00:00:00
|_Not valid after:  2020-12-02T12:00:00
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|   h2
|_  http/1.1
| tls-nextprotoneg:
|   h2
|   http/1.1
|_  http/1.0

Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

As it appears either this is how nmap is meant to function or there is a issue with nmap not executing all default scripts.

TerminalFi commented 5 years ago

Confirmed throttling issues. Try using the following option.

nmap.WithTimingTemplate(nmap.TimingSneaky)

Issued opened at https://github.com/nmap/nmap/issues/1724 for clarification on if this is intended or not.

r3k2 commented 5 years ago

@TheSecEng @Ullaakut hello sorry was out and i'm on CEST time zone, I have confirmed on my own most of the things you guys are rasing up here, actually was going to update with some of them but since you guys already figure them out, I will not double post. Thanks for looking into this, will try with the timing template.

TerminalFi commented 5 years ago

No worries!

@Ullaakut this can be closed now. As this is just timing issues and not related to the Nmap library

Ullaakut commented 5 years ago

Thanks for your help @TheSecEng ! 🎉

And @ReK2Fernandez don't hesitate to let us know if you find any other issue :) thanks for using the package!