NSE re-categorization

* Merge the "backdoor" category into "malware"
* Add "auth" for authentication credential determination
* Rename "vulnerability" to "vuln"
* Place 12 scripts into their correct categories

docs/refguide.xml

@@ -1893,18 +1893,26 @@ way.</para>
     </para>
     
     <para> 
-    <emphasis>Malware-detection</emphasis> (categories
+    <emphasis>Malware-detection</emphasis> (category <literal>malware</literal>)&mdash;Both attackers
-    <literal>malware</literal> and <literal>backdoor</literal>)- Both attackers
     and worms often leave backdoors&mdash;be it in form of SMTP-servers listening on
     uncommon ports mostly used by spammers for mail relay, or in form of an
     FTP-server giving crackers access to critical data.  A few lines of Lua code
     can help to identify those loopholes easily.  
     </para> 
+
     <para> 
     <emphasis>Vulnerability Detection</emphasis> (category
-    <literal>vulnerability</literal>)- NSE's capacity in detecting risks ranges
+    <literal>vuln</literal>)&mdash;NSE's capacity in detecting risks ranges
-    from checking for default passwords on Apache distributions to testing
+    from testing whether an SMTP server supports relaying mail from arbitrary
-    whether a SMTP-server supports relaying mail from arbitrary domains. 
+    domains to testing whether an HTTP server is vulnerable to directory
+    traversal attacks.
+    </para>
+    
+    <para>
+    <emphasis>Determination of Authentication Credentials</emphasis> (category
+    <literal>auth</literal>)&mdash;NSE can be used for determining authentication
+    credentials on the target's services, with a common method being brute-force
+    attack.
     </para>
     
     <para>
@@ -1918,7 +1926,7 @@ way.</para>
     available NFS/SMB/RPC shares, the number of channels of an irc-network or
     currently logged on users. 
     </para>
-    
+
     <para> 
     To reflect those different uses and to simplify the choice of which
     scripts to run, each script contains a field associating it with one or more

docs/scripting.xml

@@ -185,9 +185,9 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
           Currently defined categories are <literal>safe</literal>,
           <literal>intrusive</literal>, <literal>malware</literal>,
           <literal>version</literal>, <literal>discovery</literal>,
-          <literal>vulnerability</literal> and <literal>default</literal>.
+          <literal>vuln</literal>, <literal>auth</literal> and
-          Categories are not case sensitive.  The following list
+          <literal>default</literal>.  Categories are not case
-          describes each category.</para>
+          sensitive.  The following list describes each category.</para>
 
      <variablelist>
         <varlistentry>
@@ -213,11 +213,12 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
             <option>intrusive</option>
           </term>
           <listitem>
-            <para>These are not intended to
+            <para>These are scripts that cannot be classified in the
-              crash or damage anything, but are more likely to leave
+            "safe" category because the risks are too high that they
-              suspicious logs or otherwise arouse sysadmin ire. Scripts
+            will crash the target system, use up significant resources
-              which attempt to login to services with default passwords
+            on the target host (such as bandwidth or CPU time), or 
-              fall into this class.</para>
+            otherwise be perceived as malicious by the target's
+            system administrators.</para>
           </listitem>
         </varlistentry>
 
@@ -259,10 +260,21 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
 
         <varlistentry>
           <term>
-            <option>vulnerability</option>
+            <option>vuln</option>
           </term>
           <listitem>
-            <para>These scripts check for a specific vulnerability and report results only if it is found.</para>
+            <para>These scripts check for specific known vulnerabilities and
+            generally only report results if it is found.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>auth</option>
+          </term>
+          <listitem>
+            <para>These scripts try to determine authentication credentials
+            on the target system, often through a brute-force attack.</para>
           </listitem>
         </varlistentry>
 
@@ -272,8 +284,9 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
           </term>
           <listitem>
             <para>These scripts are the default set and are run when
-            using <option>-sC</option>.  This category can also be
+            using <option>-sC</option>, <option>-A</option> or <option>--script</option>
-            specified like any other with <option>--script</option>.
+            without any arguments.  This category can also be specified
+            explicitly like any other using <option>--script</option>.
             Don't be fooled into thinking that just because these scripts
             are run by default that they are all completely unobtrusive:
             these scripts should not be run against target networks without

scripts/HTTPAuth.nse

@@ -9,9 +9,7 @@ author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
--- uncomment the following line to enable safe category
+categories = {"default", "auth", "intrusive"}
--- categories = {"safe"}
-categories = {"default", "intrusive"}
 
 require "shortport"
 require "http"

scripts/HTTP_open_proxy.nse

@@ -7,7 +7,7 @@
 
 id="Open Proxy Test"
 description="Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: GWS/' header response."
-categories = {"default", "intrusive"}
+categories = {"default", "discovery", "intrusive"}
 require "comm"
 
 -- I found a nice explode() function in lua-users' wiki. I had to fix it, though.

scripts/HTTPpasswd.nse

@@ -16,7 +16,7 @@ author = "Kris Katterjohn <katterjohn@gmail.com>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"intrusive"}
+categories = {"intrusive", "vuln"}
 
 require "shortport"
 require "http"

scripts/RealVNC_auth_bypass.nse

@@ -3,7 +3,7 @@ description="Checks to see if the VNC Server is vulnerable to the RealVNC authen
 author = "Brandon Enright <bmenrigh@ucsd.edu>" 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"default", "backdoor"}
+categories = {"default", "malware", "vuln"}
 
 require "shortport"
 

scripts/SQLInject.nse

@@ -33,7 +33,7 @@ author = "Eddie Bell <ejlbell@gmail.com>"
 description = "spiders a http server looking for URLs containing queries \
 		and tries to determines if they are vulnerable to injection attack"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"vulnerability"}
+categories = {"intrusive", "vuln"}
 runlevel = 1.0
 
 -- Change this to increase depth of crawl

scripts/SSHv1-support.nse

@@ -2,7 +2,7 @@ id="SSH Protocol Version 1"
 description="Checks to see if SSH server supports SSH Protocol Version 1."
 author = "Brandon Enright <bmenrigh@ucsd.edu>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"default", "intrusive"}
+categories = {"default", "safe"}
 
 require "shortport"
 

scripts/SSLv2-support.nse

@@ -3,7 +3,7 @@ description = "determines whether the server (still) supports SSL-v2, and what c
 author = "Matt <mb2263@bristol.ac.uk>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"default", "intrusive"}
+categories = {"default", "safe"}
 
 require "shortport"
 

scripts/anonFTP.nse

@@ -6,7 +6,7 @@ author = "Eddie Bell <ejlbell@gmail.com>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"default", "intrusive"}
+categories = {"default", "auth", "intrusive"}
 
 require "shortport"
 

scripts/bruteTelnet.nse

@@ -2,7 +2,7 @@ id='bruteforce'
 author = 'Eddie Bell <ejlbell@gmail.com>'
 description='brute force telnet login credientials'
 license = 'Same as Nmap--See http://nmap.org/book/man-legal.html'
-categories = {'vulnerability'}
+categories = {'auth', 'intrusive'}
 
 require('shortport')
 require('stdnse')

scripts/script.db

@@ -1,70 +1,78 @@
-Entry{ category = "default", filename = "HTTPAuth.nse" }
+Entry{ category = "default", filename = "showOwner.nse" }
-Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
+Entry{ category = "safe", filename = "showOwner.nse" }
-Entry{ category = "default", filename = "HTTP_open_proxy.nse" }
-Entry{ category = "intrusive", filename = "HTTP_open_proxy.nse" }
-Entry{ category = "intrusive", filename = "HTTPpasswd.nse" }
-Entry{ category = "discovery", filename = "HTTPtrace.nse" }
-Entry{ category = "default", filename = "MSSQLm.nse" }
-Entry{ category = "discovery", filename = "MSSQLm.nse" }
-Entry{ category = "intrusive", filename = "MSSQLm.nse" }
-Entry{ category = "default", filename = "MySQLinfo.nse" }
-Entry{ category = "discovery", filename = "MySQLinfo.nse" }
-Entry{ category = "safe", filename = "MySQLinfo.nse" }
-Entry{ category = "version", filename = "PPTPversion.nse" }
-Entry{ category = "default", filename = "RealVNC_auth_bypass.nse" }
-Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
-Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
-Entry{ category = "default", filename = "SMTPcommands.nse" }
-Entry{ category = "discovery", filename = "SMTPcommands.nse" }
-Entry{ category = "safe", filename = "SMTPcommands.nse" }
-Entry{ category = "default", filename = "SNMPsysdesr.nse" }
-Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
-Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
-Entry{ category = "vulnerability", filename = "SQLInject.nse" }
-Entry{ category = "default", filename = "SSHv1-support.nse" }
-Entry{ category = "intrusive", filename = "SSHv1-support.nse" }
-Entry{ category = "default", filename = "SSLv2-support.nse" }
-Entry{ category = "intrusive", filename = "SSLv2-support.nse" }
-Entry{ category = "default", filename = "UPnP-info.nse" }
-Entry{ category = "safe", filename = "UPnP-info.nse" }
-Entry{ category = "default", filename = "anonFTP.nse" }
-Entry{ category = "intrusive", filename = "anonFTP.nse" }
-Entry{ category = "vulnerability", filename = "bruteTelnet.nse" }
-Entry{ category = "demo", filename = "chargenTest.nse" }
 Entry{ category = "demo", filename = "daytimeTest.nse" }
+Entry{ category = "default", filename = "RealVNC_auth_bypass.nse" }
+Entry{ category = "malware", filename = "RealVNC_auth_bypass.nse" }
+Entry{ category = "vuln", filename = "RealVNC_auth_bypass.nse" }
+Entry{ category = "intrusive", filename = "SQLInject.nse" }
+Entry{ category = "vuln", filename = "SQLInject.nse" }
+Entry{ category = "auth", filename = "bruteTelnet.nse" }
+Entry{ category = "intrusive", filename = "bruteTelnet.nse" }
+Entry{ category = "discovery", filename = "HTTPtrace.nse" }
+Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
+Entry{ category = "default", filename = "HTTPAuth.nse" }
+Entry{ category = "auth", filename = "HTTPAuth.nse" }
+Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
 Entry{ category = "default", filename = "dns-test-open-recursion.nse" }
 Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" }
-Entry{ category = "demo", filename = "echoTest.nse" }
+Entry{ category = "demo", filename = "chargenTest.nse" }
-Entry{ category = "default", filename = "finger.nse" }
-Entry{ category = "discovery", filename = "finger.nse" }
-Entry{ category = "default", filename = "ftpbounce.nse" }
-Entry{ category = "intrusive", filename = "ftpbounce.nse" }
-Entry{ category = "version", filename = "iax2Detect.nse" }
-Entry{ category = "default", filename = "ircServerInfo.nse" }
-Entry{ category = "discovery", filename = "ircServerInfo.nse" }
-Entry{ category = "malware", filename = "ircZombieTest.nse" }
-Entry{ category = "default", filename = "nbstat.nse" }
-Entry{ category = "discovery", filename = "nbstat.nse" }
-Entry{ category = "safe", filename = "nbstat.nse" }
-Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }
-Entry{ category = "discovery", filename = "promiscuous.nse" }
-Entry{ category = "discovery", filename = "ripeQuery.nse" }
-Entry{ category = "default", filename = "robots.nse" }
-Entry{ category = "safe", filename = "robots.nse" }
-Entry{ category = "default", filename = "rpcinfo.nse" }
-Entry{ category = "safe", filename = "rpcinfo.nse" }
-Entry{ category = "discovery", filename = "rpcinfo.nse" }
 Entry{ category = "default", filename = "showHTMLTitle.nse" }
 Entry{ category = "demo", filename = "showHTMLTitle.nse" }
 Entry{ category = "safe", filename = "showHTMLTitle.nse" }
-Entry{ category = "", filename = "showHTTPVersion.nse" }
+Entry{ category = "default", filename = "MSSQLm.nse" }
-Entry{ category = "default", filename = "showOwner.nse" }
+Entry{ category = "discovery", filename = "MSSQLm.nse" }
-Entry{ category = "safe", filename = "showOwner.nse" }
+Entry{ category = "intrusive", filename = "MSSQLm.nse" }
-Entry{ category = "demo", filename = "showSMTPVersion.nse" }
+Entry{ category = "demo", filename = "echoTest.nse" }
-Entry{ category = "demo", filename = "showSSHVersion.nse" }
+Entry{ category = "default", filename = "SSHv1-support.nse" }
-Entry{ category = "version", filename = "skype_v2-version.nse" }
+Entry{ category = "safe", filename = "SSHv1-support.nse" }
-Entry{ category = "backdoor", filename = "strangeSMTPport.nse" }
+Entry{ category = "auth", filename = "xamppDefaultPass.nse" }
-Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" }
+Entry{ category = "vuln", filename = "xamppDefaultPass.nse" }
+Entry{ category = "default", filename = "MySQLinfo.nse" }
+Entry{ category = "discovery", filename = "MySQLinfo.nse" }
+Entry{ category = "safe", filename = "MySQLinfo.nse" }
+Entry{ category = "default", filename = "SSLv2-support.nse" }
+Entry{ category = "safe", filename = "SSLv2-support.nse" }
 Entry{ category = "default", filename = "zoneTrans.nse" }
 Entry{ category = "intrusive", filename = "zoneTrans.nse" }
 Entry{ category = "discovery", filename = "zoneTrans.nse" }
+Entry{ category = "default", filename = "ftpbounce.nse" }
+Entry{ category = "intrusive", filename = "ftpbounce.nse" }
+Entry{ category = "version", filename = "skype_v2-version.nse" }
+Entry{ category = "discovery", filename = "promiscuous.nse" }
+Entry{ category = "default", filename = "SNMPsysdesr.nse" }
+Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
+Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
+Entry{ category = "demo", filename = "showSMTPVersion.nse" }
+Entry{ category = "default", filename = "nbstat.nse" }
+Entry{ category = "discovery", filename = "nbstat.nse" }
+Entry{ category = "safe", filename = "nbstat.nse" }
+Entry{ category = "version", filename = "iax2Detect.nse" }
+Entry{ category = "default", filename = "rpcinfo.nse" }
+Entry{ category = "safe", filename = "rpcinfo.nse" }
+Entry{ category = "discovery", filename = "rpcinfo.nse" }
+Entry{ category = "default", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "discovery", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "intrusive", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "intrusive", filename = "HTTPpasswd.nse" }
+Entry{ category = "vuln", filename = "HTTPpasswd.nse" }
+Entry{ category = "demo", filename = "showSSHVersion.nse" }
+Entry{ category = "default", filename = "SMTPcommands.nse" }
+Entry{ category = "discovery", filename = "SMTPcommands.nse" }
+Entry{ category = "safe", filename = "SMTPcommands.nse" }
+Entry{ category = "default", filename = "anonFTP.nse" }
+Entry{ category = "auth", filename = "anonFTP.nse" }
+Entry{ category = "intrusive", filename = "anonFTP.nse" }
+Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }
+Entry{ category = "default", filename = "robots.nse" }
+Entry{ category = "safe", filename = "robots.nse" }
+Entry{ category = "default", filename = "finger.nse" }
+Entry{ category = "discovery", filename = "finger.nse" }
+Entry{ category = "default", filename = "UPnP-info.nse" }
+Entry{ category = "safe", filename = "UPnP-info.nse" }
+Entry{ category = "malware", filename = "strangeSMTPport.nse" }
+Entry{ category = "default", filename = "ircServerInfo.nse" }
+Entry{ category = "discovery", filename = "ircServerInfo.nse" }
+Entry{ category = "malware", filename = "ircZombieTest.nse" }
+Entry{ category = "discovery", filename = "ripeQuery.nse" }
+Entry{ category = "demo", filename = "showHTTPVersion.nse" }
+Entry{ category = "version", filename = "PPTPversion.nse" }

scripts/showHTTPVersion.nse

@@ -10,7 +10,7 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
 -- add this script to "version" if you really want to execute it
 -- keep in mind you can (and should) only execute it with -sV
-categories = {""}
+categories = {"demo"}
 -- categories = {"version"}
 
 runlevel = 1.0

scripts/strangeSMTPport.nse

@@ -9,7 +9,7 @@ author = "Diman Todorov <diman.todorov@gmail.com>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"backdoor"}
+categories = {"malware"}
 
 portrule = function(host, port) 
 	if 

scripts/xamppDefaultPass.nse

@@ -8,7 +8,7 @@ author = "Diman Todorov <diman.todorov@gmail.com>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"vulnerability"}
+categories = {"auth", "vuln"}
 
 require "shortport"