diff --git a/docs/TODO b/docs/TODO index 06083d5f7..17652138a 100644 --- a/docs/TODO +++ b/docs/TODO @@ -1,14 +1,11 @@ TODO $Id: TODO 11866 2009-01-24 23:10:05Z fyodor $ -*-text-*- - - o Deal with AV false positive issue RE nmap_services.exe: - For now, David is going to apply Ron's patch which removes this, but David will make it print output in verbose mode rather than debug and maybe make it a little less verbose. LT plan is for Ron to encrypt it with OpenSSL. - o [NSE] Consider the http-methods script from Bernd Stroessenreuther. http://seclists.org/nmap-dev/2010/q1/76 @@ -20,6 +17,8 @@ o [NSE] Consider SNMP scripts from Patrik Karlsson. http://seclists.org/nmap-dev/2010/q1/174 http://seclists.org/nmap-dev/2010/q1/178 +o Consider integrating Nping. + o Make the nmap.header.tmpl wording a little more generic so it more clearly applies to Ncat, Zenmap, Nping, etc. Then use templatereplace.pl to apply those changes to the code. [Fyodor] @@ -40,12 +39,52 @@ o We should document an official way to compile/test refguide.xml so involve moving legal-notices.xml into /nmap/docs, among other things. +o After the new -sn and -PN options (added to SVN around 7/20, just + after the 5.00 release) have been around long enough to be in most + people's copy of Nmap (e.g. in all the versions we distribute from + download page (stable+dev)) for at least a few months, we'll document + these as the preferred version rather than -sP and -PN. These match + -n, and the main problem with -sP is that we now use it more for + "disable portscan" than ping only. For example, you can also use + NSE, traceroute, etc. [David] + o Add Nmap web board. -o Consider integrating Nping. - o Create Nmap wiki +o Consider rethinking Nmap's -s* syntax for specifing scan types + o Current problems with this -s syntax: + o We already use like 20 of the 26 letters, so we end up with + things like SCTP scan using -sY + o Can make Nmap command lines hard to read, particularly given + that we often need to improvise to find a letter which isn't + taken. + o Problematic for scan types -sI and -b which require arguments + o Inconsistencies. For example, -sC and -sV do script scan and + version detection, respectively, and yet for OS detection we use + -O. Also, control flow (-sP, -sL) is used with -s, which further + overloads the options. + o Possible solution: + o We are enabling -Pn and -sn as preferred notations for -PN and + -sP which mean "no ping" and "no port scan". Those match the + already existing -n for "no DNS". The problem with -sP is that it + implies "ping only", when what it really should mean is "disable + port scan" because you may want to do NSE, OS detection, + traceroute, etc. still. + o We might want to just give them normal option strings, so you + could do --maimon instead of -sM, for example. For extremely + common options such as SYN scan, UDP scan, version detection, we + could perhaps find good single letter options as an alias to the + longer one. + o Another idea is to use something like --scantype syn,udp,sctp, + which is a lot longer for single-type scans, but shorter when + you're combining mulitiple ones. Doesn't allow for individual + scan arguments easily. I (Fyodor) think I prefer the idea above + of just givem them top level arguments. + o If we keep -s*, we could just give it one defined function, such + as selecting port scan type, or control flow. + o Obviously this will take some discussion/brainstorming on nmap-dev. + o Do -p- Internet UDP scans. o Test Jay Fink's UDP payload prototype. @@ -55,7 +94,6 @@ o Web site HTML improvements - Maybe start with nmap.org. - Find and fix HTML validation problems, bad links. I'm not sure what tool is best for this. - - Insecure.Org could use a bit of work. On the front page: - Then do the same with seclists.org, insecure.org, sectools.org - The icon on the top-left of the screen should be for (and link to) the root URL of current site. e.g. seclists.org, @@ -88,11 +126,6 @@ o Dependency licensing issues (OpenSSL, Python, GTK+, etc.) o X.org libraries (Mac version links to them) o libdnet -o Seclists.org should be fixed so that it doesn't strip quoted text - for its summaries from the IP list because that list consists almost - entirely of forwarded material which is being stripped. Look at the - summaries at http://seclists.org/interesting-people/. - o Scanning through proxies o Nmap should be able to scan through proxy servers, particularly now that we have an NSE script for detectiong open proxies and now that @@ -158,15 +191,6 @@ o [NSE] Improve username/password library (the database files o Remove smtp-open-relay.nse sometime after 9/24/09 if nobody adopts it (see http://seclists.org/nmap-dev/2009/q3/0986.html). -o After the new -sn and -PN options (added to SVN around 7/20, just - after the 5.00 release) have been around long enough to be in most - people's copy of Nmap (e.g. in all the versions we distribute from - download page (stable+dev)) for at least a few months, we'll document - these as the preferred version rather than -sP and -PN. These match - -n, and the main problem with -sP is that we now use it more for - "disable portscan" than ping only. For example, you can also use - NSE, traceroute, etc. [David] - o [Ncat] Drop privileges once it has started up, bound the ports it needs to, etc. @@ -268,6 +292,11 @@ o Investigate and document how easy it is to drop Ncat.exe by itself and Nping, we may want to improve our Winpcap to load as a DLL without requiring installation. There is a separate TODO item for that. +o Seclists.org should maybe be fixed so that it doesn't strip quoted + text for its summaries from the IP list because that list consists + almost entirely of forwarded material which is being stripped. Look + at the summaries at http://seclists.org/interesting-people/. + o Consider offering a way to link Winpcap DLLs so that they start the service as needed rather than requiring explicitly installing Winpcap and having it start upon system boot. CACE has offered such @@ -295,6 +324,8 @@ o [NSE] Web application fingerprinting script. Would be great to be default/common locations. See also a script that does favicon scanning TODO item. +o [NSE] Script writing contest (something to think about) + o [NSE] Consider how we compare to the Nessus Web Application Attack scripts (http://blog.tenablesecurity.com/2009/06/enhanced-web-application-attacks-added-to-nessus.html). @@ -355,41 +386,8 @@ o Make Zenmap settings get upgraded when the Zenmap executable is o Zenmap should be able to export normal Nmap output -o Zenmanp should perhaps be able to print Nmap output (if not too much - of a pain to implement.) - -o Consider rethinking Nmap's -s* syntax for specifing scan types - o Current problems with this -s syntax: - o We already use like 20 of the 26 letters, so we end up with - things like SCTP scan using -sY - o Can make Nmap command lines hard to read, particularly given - that we often need to improvise to find a letter which isn't - taken. - o Problematic for scan types -sI and -b which require arguments - o Inconsistencies. For example, -sC and -sV do script scan and - version detection, respectively, and yet for OS detection we use - -O. Also, control flow (-sP, -sL) is used with -s, which further - overloads the options. - o Possible solution: - o We are enabling -Pn and -sn as preferred notations for -PN and - -sP which mean "no ping" and "no port scan". Those match the - already existing -n for "no DNS". The problem with -sP is that it - implies "ping only", when what it really should mean is "disable - port scan" because you may want to do NSE, OS detection, - traceroute, etc. still. - o We might want to just give them normal option strings, so you - could do --maimon instead of -sM, for example. For extremely - common options such as SYN scan, UDP scan, version detection, we - could perhaps find good single letter options as an alias to the - longer one. - o Another idea is to use something like --scantype syn,udp,sctp, - which is a lot longer for single-type scans, but shorter when - you're combining mulitiple ones. Doesn't allow for individual - scan arguments easily. I (Fyodor) think I prefer the idea above - of just givem them top level arguments. - o If we keep -s*, we could just give it one defined function, such - as selecting port scan type, or control flow. - o Obviously this will take some discussion/brainstorming on nmap-dev. +o Zenmanp should perhaps be able to print Nmap output on a Printer (if + not too much of a pain to implement.) o libnmap organization for UNIX and Windows o Then change Nmap and Zenmap to simply call this library