NSE re-categorization

* Merge the "backdoor" category into "malware" * Add "auth" for authentication credential determination * Rename "vulnerability" to "vuln" * Place 12 scripts into their correct categories
2025-12-09 06:01:28 +00:00 · 2008-06-21 06:34:03 +00:00
parent 30d60b97ed
commit ac5138b975
15 changed files with 120 additions and 93 deletions
--- a/docs/refguide.xml
+++ b/docs/refguide.xml
@@ -1893,18 +1893,26 @@ way.</para>
    </para>
    
    <para> 
-    <emphasis>Malware-detection</emphasis> (categories
-    <literal>malware</literal> and <literal>backdoor</literal>)- Both attackers
+    <emphasis>Malware-detection</emphasis> (category <literal>malware</literal>)&mdash;Both attackers
    and worms often leave backdoors&mdash;be it in form of SMTP-servers listening on
    uncommon ports mostly used by spammers for mail relay, or in form of an
    FTP-server giving crackers access to critical data.  A few lines of Lua code
    can help to identify those loopholes easily.  
    </para> 
+
    <para> 
    <emphasis>Vulnerability Detection</emphasis> (category
-    <literal>vulnerability</literal>)- NSE's capacity in detecting risks ranges
-    from checking for default passwords on Apache distributions to testing
-    whether a SMTP-server supports relaying mail from arbitrary domains. 
+    <literal>vuln</literal>)&mdash;NSE's capacity in detecting risks ranges
+    from testing whether an SMTP server supports relaying mail from arbitrary
+    domains to testing whether an HTTP server is vulnerable to directory
+    traversal attacks.
+    </para>
+    
+    <para>
+    <emphasis>Determination of Authentication Credentials</emphasis> (category
+    <literal>auth</literal>)&mdash;NSE can be used for determining authentication
+    credentials on the target's services, with a common method being brute-force
+    attack.
    </para>
    
    <para>
@@ -1918,7 +1926,7 @@ way.</para>
    available NFS/SMB/RPC shares, the number of channels of an irc-network or
    currently logged on users. 
    </para>
-    
+
    <para> 
    To reflect those different uses and to simplify the choice of which
    scripts to run, each script contains a field associating it with one or more
--- a/docs/scripting.xml
+++ b/docs/scripting.xml
@@ -185,9 +185,9 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
          Currently defined categories are <literal>safe</literal>,
          <literal>intrusive</literal>, <literal>malware</literal>,
          <literal>version</literal>, <literal>discovery</literal>,
-          <literal>vulnerability</literal> and <literal>default</literal>.
-          Categories are not case sensitive.  The following list
-          describes each category.</para>
+          <literal>vuln</literal>, <literal>auth</literal> and
+          <literal>default</literal>.  Categories are not case
+          sensitive.  The following list describes each category.</para>

     <variablelist>
        <varlistentry>
@@ -213,11 +213,12 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
            <option>intrusive</option>
          </term>
          <listitem>
-            <para>These are not intended to
-              crash or damage anything, but are more likely to leave
-              suspicious logs or otherwise arouse sysadmin ire. Scripts
-              which attempt to login to services with default passwords
-              fall into this class.</para>
+            <para>These are scripts that cannot be classified in the
+            "safe" category because the risks are too high that they
+            will crash the target system, use up significant resources
+            on the target host (such as bandwidth or CPU time), or 
+            otherwise be perceived as malicious by the target's
+            system administrators.</para>
          </listitem>
        </varlistentry>

@@ -259,10 +260,21 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds

        <varlistentry>
          <term>
-            <option>vulnerability</option>
+            <option>vuln</option>
          </term>
          <listitem>
-            <para>These scripts check for a specific vulnerability and report results only if it is found.</para>
+            <para>These scripts check for specific known vulnerabilities and
+            generally only report results if it is found.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>auth</option>
+          </term>
+          <listitem>
+            <para>These scripts try to determine authentication credentials
+            on the target system, often through a brute-force attack.</para>
          </listitem>
        </varlistentry>

@@ -272,8 +284,9 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
          </term>
          <listitem>
            <para>These scripts are the default set and are run when
-            using <option>-sC</option>.  This category can also be
-            specified like any other with <option>--script</option>.
+            using <option>-sC</option>, <option>-A</option> or <option>--script</option>
+            without any arguments.  This category can also be specified
+            explicitly like any other using <option>--script</option>.
            Don't be fooled into thinking that just because these scripts
            are run by default that they are all completely unobtrusive:
            these scripts should not be run against target networks without
--- a/scripts/HTTPAuth.nse
+++ b/scripts/HTTPAuth.nse
@@ -9,9 +9,7 @@ author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"

 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

-- uncomment the following line to enable safe category
-- categories = {"safe"}
-categories = {"default", "intrusive"}
+categories = {"default", "auth", "intrusive"}

 require "shortport"
 require "http"
--- a/scripts/HTTP_open_proxy.nse
+++ b/scripts/HTTP_open_proxy.nse
@@ -7,7 +7,7 @@

 id="Open Proxy Test"
 description="Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: GWS/' header response."
-categories = {"default", "intrusive"}
+categories = {"default", "discovery", "intrusive"}
 require "comm"

 -- I found a nice explode() function in lua-users' wiki. I had to fix it, though.
--- a/scripts/HTTPpasswd.nse
+++ b/scripts/HTTPpasswd.nse
@@ -16,7 +16,7 @@ author = "Kris Katterjohn <katterjohn@gmail.com>"

 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

-categories = {"intrusive"}
+categories = {"intrusive", "vuln"}

 require "shortport"
 require "http"
--- a/scripts/RealVNC_auth_bypass.nse
+++ b/scripts/RealVNC_auth_bypass.nse
@@ -3,7 +3,7 @@ description="Checks to see if the VNC Server is vulnerable to the RealVNC authen
 author = "Brandon Enright <bmenrigh@ucsd.edu>" 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

-categories = {"default", "backdoor"}
+categories = {"default", "malware", "vuln"}

 require "shortport"

--- a/scripts/SQLInject.nse
+++ b/scripts/SQLInject.nse
@@ -33,7 +33,7 @@ author = "Eddie Bell <ejlbell@gmail.com>"
 description = "spiders a http server looking for URLs containing queries \
 		and tries to determines if they are vulnerable to injection attack"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"vulnerability"}
+categories = {"intrusive", "vuln"}
 runlevel = 1.0

 -- Change this to increase depth of crawl
--- a/scripts/SSHv1-support.nse
+++ b/scripts/SSHv1-support.nse
@@ -2,7 +2,7 @@ id="SSH Protocol Version 1"
 description="Checks to see if SSH server supports SSH Protocol Version 1."
 author = "Brandon Enright <bmenrigh@ucsd.edu>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"default", "intrusive"}
+categories = {"default", "safe"}

 require "shortport"

--- a/scripts/SSLv2-support.nse
+++ b/scripts/SSLv2-support.nse
@@ -3,7 +3,7 @@ description = "determines whether the server (still) supports SSL-v2, and what c
 author = "Matt <mb2263@bristol.ac.uk>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

-categories = {"default", "intrusive"}
+categories = {"default", "safe"}

 require "shortport"

--- a/scripts/anonFTP.nse
+++ b/scripts/anonFTP.nse
@@ -6,7 +6,7 @@ author = "Eddie Bell <ejlbell@gmail.com>"

 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

-categories = {"default", "intrusive"}
+categories = {"default", "auth", "intrusive"}

 require "shortport"

--- a/scripts/bruteTelnet.nse
+++ b/scripts/bruteTelnet.nse
@@ -2,7 +2,7 @@ id='bruteforce'
 author = 'Eddie Bell <ejlbell@gmail.com>'
 description='brute force telnet login credientials'
 license = 'Same as Nmap--See http://nmap.org/book/man-legal.html'
-categories = {'vulnerability'}
+categories = {'auth', 'intrusive'}

 require('shortport')
 require('stdnse')
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -1,70 +1,78 @@
-Entry{ category = "default", filename = "HTTPAuth.nse" }
-Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
-Entry{ category = "default", filename = "HTTP_open_proxy.nse" }
-Entry{ category = "intrusive", filename = "HTTP_open_proxy.nse" }
-Entry{ category = "intrusive", filename = "HTTPpasswd.nse" }
-Entry{ category = "discovery", filename = "HTTPtrace.nse" }
-Entry{ category = "default", filename = "MSSQLm.nse" }
-Entry{ category = "discovery", filename = "MSSQLm.nse" }
-Entry{ category = "intrusive", filename = "MSSQLm.nse" }
-Entry{ category = "default", filename = "MySQLinfo.nse" }
-Entry{ category = "discovery", filename = "MySQLinfo.nse" }
-Entry{ category = "safe", filename = "MySQLinfo.nse" }
-Entry{ category = "version", filename = "PPTPversion.nse" }
-Entry{ category = "default", filename = "RealVNC_auth_bypass.nse" }
-Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
-Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
-Entry{ category = "default", filename = "SMTPcommands.nse" }
-Entry{ category = "discovery", filename = "SMTPcommands.nse" }
-Entry{ category = "safe", filename = "SMTPcommands.nse" }
-Entry{ category = "default", filename = "SNMPsysdesr.nse" }
-Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
-Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
-Entry{ category = "vulnerability", filename = "SQLInject.nse" }
-Entry{ category = "default", filename = "SSHv1-support.nse" }
-Entry{ category = "intrusive", filename = "SSHv1-support.nse" }
-Entry{ category = "default", filename = "SSLv2-support.nse" }
-Entry{ category = "intrusive", filename = "SSLv2-support.nse" }
-Entry{ category = "default", filename = "UPnP-info.nse" }
-Entry{ category = "safe", filename = "UPnP-info.nse" }
-Entry{ category = "default", filename = "anonFTP.nse" }
-Entry{ category = "intrusive", filename = "anonFTP.nse" }
-Entry{ category = "vulnerability", filename = "bruteTelnet.nse" }
-Entry{ category = "demo", filename = "chargenTest.nse" }
+Entry{ category = "default", filename = "showOwner.nse" }
+Entry{ category = "safe", filename = "showOwner.nse" }
 Entry{ category = "demo", filename = "daytimeTest.nse" }
+Entry{ category = "default", filename = "RealVNC_auth_bypass.nse" }
+Entry{ category = "malware", filename = "RealVNC_auth_bypass.nse" }
+Entry{ category = "vuln", filename = "RealVNC_auth_bypass.nse" }
+Entry{ category = "intrusive", filename = "SQLInject.nse" }
+Entry{ category = "vuln", filename = "SQLInject.nse" }
+Entry{ category = "auth", filename = "bruteTelnet.nse" }
+Entry{ category = "intrusive", filename = "bruteTelnet.nse" }
+Entry{ category = "discovery", filename = "HTTPtrace.nse" }
+Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
+Entry{ category = "default", filename = "HTTPAuth.nse" }
+Entry{ category = "auth", filename = "HTTPAuth.nse" }
+Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
 Entry{ category = "default", filename = "dns-test-open-recursion.nse" }
 Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" }
-Entry{ category = "demo", filename = "echoTest.nse" }
-Entry{ category = "default", filename = "finger.nse" }
-Entry{ category = "discovery", filename = "finger.nse" }
-Entry{ category = "default", filename = "ftpbounce.nse" }
-Entry{ category = "intrusive", filename = "ftpbounce.nse" }
-Entry{ category = "version", filename = "iax2Detect.nse" }
-Entry{ category = "default", filename = "ircServerInfo.nse" }
-Entry{ category = "discovery", filename = "ircServerInfo.nse" }
-Entry{ category = "malware", filename = "ircZombieTest.nse" }
-Entry{ category = "default", filename = "nbstat.nse" }
-Entry{ category = "discovery", filename = "nbstat.nse" }
-Entry{ category = "safe", filename = "nbstat.nse" }
-Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }
-Entry{ category = "discovery", filename = "promiscuous.nse" }
-Entry{ category = "discovery", filename = "ripeQuery.nse" }
-Entry{ category = "default", filename = "robots.nse" }
-Entry{ category = "safe", filename = "robots.nse" }
-Entry{ category = "default", filename = "rpcinfo.nse" }
-Entry{ category = "safe", filename = "rpcinfo.nse" }
-Entry{ category = "discovery", filename = "rpcinfo.nse" }
+Entry{ category = "demo", filename = "chargenTest.nse" }
 Entry{ category = "default", filename = "showHTMLTitle.nse" }
 Entry{ category = "demo", filename = "showHTMLTitle.nse" }
 Entry{ category = "safe", filename = "showHTMLTitle.nse" }
-Entry{ category = "", filename = "showHTTPVersion.nse" }
-Entry{ category = "default", filename = "showOwner.nse" }
-Entry{ category = "safe", filename = "showOwner.nse" }
-Entry{ category = "demo", filename = "showSMTPVersion.nse" }
-Entry{ category = "demo", filename = "showSSHVersion.nse" }
-Entry{ category = "version", filename = "skype_v2-version.nse" }
-Entry{ category = "backdoor", filename = "strangeSMTPport.nse" }
-Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" }
+Entry{ category = "default", filename = "MSSQLm.nse" }
+Entry{ category = "discovery", filename = "MSSQLm.nse" }
+Entry{ category = "intrusive", filename = "MSSQLm.nse" }
+Entry{ category = "demo", filename = "echoTest.nse" }
+Entry{ category = "default", filename = "SSHv1-support.nse" }
+Entry{ category = "safe", filename = "SSHv1-support.nse" }
+Entry{ category = "auth", filename = "xamppDefaultPass.nse" }
+Entry{ category = "vuln", filename = "xamppDefaultPass.nse" }
+Entry{ category = "default", filename = "MySQLinfo.nse" }
+Entry{ category = "discovery", filename = "MySQLinfo.nse" }
+Entry{ category = "safe", filename = "MySQLinfo.nse" }
+Entry{ category = "default", filename = "SSLv2-support.nse" }
+Entry{ category = "safe", filename = "SSLv2-support.nse" }
 Entry{ category = "default", filename = "zoneTrans.nse" }
 Entry{ category = "intrusive", filename = "zoneTrans.nse" }
 Entry{ category = "discovery", filename = "zoneTrans.nse" }
+Entry{ category = "default", filename = "ftpbounce.nse" }
+Entry{ category = "intrusive", filename = "ftpbounce.nse" }
+Entry{ category = "version", filename = "skype_v2-version.nse" }
+Entry{ category = "discovery", filename = "promiscuous.nse" }
+Entry{ category = "default", filename = "SNMPsysdesr.nse" }
+Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
+Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
+Entry{ category = "demo", filename = "showSMTPVersion.nse" }
+Entry{ category = "default", filename = "nbstat.nse" }
+Entry{ category = "discovery", filename = "nbstat.nse" }
+Entry{ category = "safe", filename = "nbstat.nse" }
+Entry{ category = "version", filename = "iax2Detect.nse" }
+Entry{ category = "default", filename = "rpcinfo.nse" }
+Entry{ category = "safe", filename = "rpcinfo.nse" }
+Entry{ category = "discovery", filename = "rpcinfo.nse" }
+Entry{ category = "default", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "discovery", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "intrusive", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "intrusive", filename = "HTTPpasswd.nse" }
+Entry{ category = "vuln", filename = "HTTPpasswd.nse" }
+Entry{ category = "demo", filename = "showSSHVersion.nse" }
+Entry{ category = "default", filename = "SMTPcommands.nse" }
+Entry{ category = "discovery", filename = "SMTPcommands.nse" }
+Entry{ category = "safe", filename = "SMTPcommands.nse" }
+Entry{ category = "default", filename = "anonFTP.nse" }
+Entry{ category = "auth", filename = "anonFTP.nse" }
+Entry{ category = "intrusive", filename = "anonFTP.nse" }
+Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }
+Entry{ category = "default", filename = "robots.nse" }
+Entry{ category = "safe", filename = "robots.nse" }
+Entry{ category = "default", filename = "finger.nse" }
+Entry{ category = "discovery", filename = "finger.nse" }
+Entry{ category = "default", filename = "UPnP-info.nse" }
+Entry{ category = "safe", filename = "UPnP-info.nse" }
+Entry{ category = "malware", filename = "strangeSMTPport.nse" }
+Entry{ category = "default", filename = "ircServerInfo.nse" }
+Entry{ category = "discovery", filename = "ircServerInfo.nse" }
+Entry{ category = "malware", filename = "ircZombieTest.nse" }
+Entry{ category = "discovery", filename = "ripeQuery.nse" }
+Entry{ category = "demo", filename = "showHTTPVersion.nse" }
+Entry{ category = "version", filename = "PPTPversion.nse" }
--- a/scripts/showHTTPVersion.nse
+++ b/scripts/showHTTPVersion.nse
@@ -10,7 +10,7 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

 -- add this script to "version" if you really want to execute it
 -- keep in mind you can (and should) only execute it with -sV
-categories = {""}
+categories = {"demo"}
 -- categories = {"version"}

 runlevel = 1.0
--- a/scripts/strangeSMTPport.nse
+++ b/scripts/strangeSMTPport.nse
@@ -9,7 +9,7 @@ author = "Diman Todorov <diman.todorov@gmail.com>"

 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

-categories = {"backdoor"}
+categories = {"malware"}

 portrule = function(host, port) 
 	if 
--- a/scripts/xamppDefaultPass.nse
+++ b/scripts/xamppDefaultPass.nse
@@ -8,7 +8,7 @@ author = "Diman Todorov <diman.todorov@gmail.com>"

 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

-categories = {"vulnerability"}
+categories = {"auth", "vuln"}

 require "shortport"