NSE now has a "default" category for scripts. This category holds the set

of scripts chosen from when using -sC (but it's still just another category and so can be chosen with --script like any other). On top of updating the docs with information about this new category, I've also updated sections to emphasize that the "default" category, -sC and -A are considered intrusive and should not be run against target networks without permission. The new list is very similar to the previous "safe,intrusive" list: Added: finger, ircServerInfo, RealVNC_auth_bypass Removed: HTTPpasswd Here are the 21 scripts in this new category: anonFTP dns-test-open-recursion finger ftpbounce HTTPAuth HTTP_open_proxy ircServerInfo MSSQLm MySQLinfo nbstat RealVNC_auth_bypass robots rpcinfo showHTMLTitle showOwner SMTPcommands SNMPsysdesr SSHv1-support SSLv2-support UPnP-info zoneTrans
2025-12-14 19:59:02 +00:00 · 2008-05-28 07:16:32 +00:00
parent 94212e4df4
commit c7eb8011d9
26 changed files with 78 additions and 40 deletions
--- a/docs/refguide.xml
+++ b/docs/refguide.xml
@@ -1939,8 +1939,10 @@ way.</para>
        <listitem>
-          <para>performs a script scan using the default set of scripts. it is 
+          <para>Performs a script scan using the default set of scripts. It is 
-		  equivalent to <option>--script=safe,intrusive</option></para>
+		  equivalent to <option>--script=default</option>. Some of the
 		  scripts in this category are considered intrusive and should
 		  not be run against a target network without permission. </para>
        </listitem>
      </varlistentry>
@@ -3393,10 +3395,12 @@ overwhelming requests.  Specify <option>--open</option> to only see
 	  traceroute (<option>--traceroute</option>). More features may be
          added in the future. The point is to enable a
          comprehensive set of scan options without people having
-          to remember a large set of flags. This option only
+          to remember a large set of flags. However, because script
-          enables features, and not timing options (such as <option>-T4</option>) or
+          scanning with the default set is considered intrusive, you
-          verbosity options (<option>-v</option>) that you might want as
+          should not use <option>-A</option> against target networks
-          well.</para>
+          without permission. This option only enables features, and
          not timing options (such as <option>-T4</option>) or verbosity
          options (<option>-v</option>) that you might want as well.</para>
        </listitem>
      </varlistentry>
--- a/docs/scripting.xml
+++ b/docs/scripting.xml
@@ -182,11 +182,10 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
    <para>NSE scripts define a list of categories they belong to.
          Currently defined categories are <literal>safe</literal>,
          <literal>intrusive</literal>, <literal>malware</literal>,
-          <literal>version</literal>, <literal>discovery</literal> and
+          <literal>version</literal>, <literal>discovery</literal>,
-          <literal>vulnerability</literal>.  By default, Nmap runs all
+          <literal>vulnerability</literal> and <literal>default</literal>.
-          scripts in either the <literal>safe</literal> or
+          Categories are not case sensitive.  The following list
-          <literal>intrusive</literal> categories.  Categories are not
+          describes each category.</para>
          case sensitive.  The following list describes each category.</para>
     <variablelist>
        <varlistentry>
@@ -264,6 +263,21 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
            <para>These scripts check for a specific vulnerability and report results only if it is found.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>
            <option>default</option>
          </term>
          <listitem>
            <para>These scripts are the default set and are run when
            using <option>-sC</option>.  This category can also be
            specified like any other with <option>--script</option>.
            Don't be fooled into thinking that just because these scripts
            are run by default that they are all completely unobtrusive:
            these scripts should not be run against target networks without
            permission.</para>
          </listitem>
        </varlistentry>
    </variablelist>
    </sect2>
@@ -316,9 +330,10 @@ $ nmap -sC --script-args user=foo,pass=bar,anonFTP={pass=ftp@foobar.com}
            </indexterm>
          </term>
          <listitem>
-            <para>Performs a script scan using the default set of scripts. It is
+          <para>Performs a script scan using the default set of scripts. It is 
-              equivalent to
+		  equivalent to <option>--script=default</option>. Some of the
-              <option>--script=safe,intrusive</option>.</para>
+		  scripts in this category are considered intrusive and should
 		  not be run against a target network without permission. </para>
          </listitem>
        </varlistentry>
@@ -3297,7 +3312,7 @@ also get stored inside the <literal>registry</literal>.</para>
 		<para>
 		The next phase of NSE initialization is loading the chosen
 		scripts, which are the arguments provided to the 
-		<option>--script</option> option or <literal>safe,intrusive</literal>, in 
+		<option>--script</option> option or <literal>default</literal>, in 
 		case of a default script scan.  The string <literal>version</literal> 
 		is appended, if version detection was enabled.
 		The arguments afterwards are tried to be 
--- a/nmap.cc
+++ b/nmap.cc
@@ -256,7 +256,7 @@ printf("%s %s ( %s )\n"
       "  --version-trace: Show detailed version scan activity (for debugging)\n"
 #ifndef NOLUA
       "SCRIPT SCAN:\n"
-       "  -sC: equivalent to --script=safe,intrusive\n"
+       "  -sC: equivalent to --script=default\n"
       "  --script=<Lua scripts>: <Lua scripts> is a comma separated list of \n"
 	   "           directories, script-files or script-categories\n"
 	   "  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts\n"
--- a/nse_init.cc
+++ b/nse_init.cc
@@ -310,9 +310,7 @@ int init_pick_default_categories(std::vector<std::string>& chosenScripts) {
 	if(	(o.script == 1 
 		 && chosenScripts.size() == 0) )
 	{
-		chosenScripts.push_back(std::string("safe"));
+		chosenScripts.push_back(std::string("default"));
 		chosenScripts.push_back(std::string("intrusive"));
 		// chosenScripts.push_back(std::string("vulnerabilities"));
 	}
 	// we append the implicitely selected categories
--- a/scripts/HTTPAuth.nse
+++ b/scripts/HTTPAuth.nse
@@ -11,7 +11,7 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 -- uncomment the following line to enable safe category
 -- categories = {"safe"}
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 require "shortport"
 require "http"
--- a/scripts/HTTP_open_proxy.nse
+++ b/scripts/HTTP_open_proxy.nse
@@ -7,7 +7,7 @@
 id="Open Proxy Test"
 description="Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: GWS/' header response."
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 -- I found a nice explode() function in lua-users' wiki. I had to fix it, though.
 -- http://lua-users.org/wiki/LuaRecipes
--- a/scripts/MSSQLm.nse
+++ b/scripts/MSSQLm.nse
@@ -9,7 +9,7 @@ author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"discovery", "intrusive"}
+categories = {"default", "discovery", "intrusive"}
 require('stdnse')
 require "shortport"
--- a/scripts/MySQLinfo.nse
+++ b/scripts/MySQLinfo.nse
@@ -15,7 +15,7 @@ author = "Kris Katterjohn <katterjohn@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = { "discovery", "safe" }
+categories = { "default", "discovery", "safe" }
 require 'bit'
--- a/scripts/RealVNC_auth_bypass.nse
+++ b/scripts/RealVNC_auth_bypass.nse
@@ -3,7 +3,7 @@ description="Checks to see if the VNC Server is vulnerable to the RealVNC authen
 author = "Brandon Enright <bmenrigh@ucsd.edu>" 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"backdoor"}
+categories = {"default", "backdoor"}
 require "shortport"
--- a/scripts/SMTPcommands.nse
+++ b/scripts/SMTPcommands.nse
@@ -31,7 +31,7 @@ id = "SMTPcommands"
 description = "Attempts to use EHLO and HELP to gather the Extended commands an SMTP server supports."
 author = "Jason DePriest <jrdepriest@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"discovery", "safe"}
+categories = {"default", "discovery", "safe"}
 require "shortport"
 require "stdnse"
--- a/scripts/SNMPsysdesr.nse
+++ b/scripts/SNMPsysdesr.nse
@@ -9,7 +9,7 @@ author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"discovery", "safe"}
+categories = {"default", "discovery", "safe"}
 require "shortport"
--- a/scripts/SSHv1-support.nse
+++ b/scripts/SSHv1-support.nse
@@ -2,7 +2,7 @@ id="SSH Protocol Version 1"
 description="Checks to see if SSH server supports SSH Protocol Version 1."
 author = "Brandon Enright <bmenrigh@ucsd.edu>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 require "shortport"
--- a/scripts/SSLv2-support.nse
+++ b/scripts/SSLv2-support.nse
@@ -3,7 +3,7 @@ description = "determines whether the server (still) supports SSL-v2, and what c
 author = "Matt <mb2263@bristol.ac.uk>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 require "shortport"
--- a/scripts/UPnP-info.nse
+++ b/scripts/UPnP-info.nse
@@ -9,7 +9,7 @@ author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"safe"}
+categories = {"default", "safe"}
 require("stdnse")
 require("shortport")
--- a/scripts/anonFTP.nse
+++ b/scripts/anonFTP.nse
@@ -6,7 +6,7 @@ author = "Eddie Bell <ejlbell@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 require "shortport"
--- a/scripts/dns-test-open-recursion.nse
+++ b/scripts/dns-test-open-recursion.nse
@@ -6,7 +6,7 @@ author = "Felix Groebert <felix@groebert.org>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 require "bit"
 require "shortport"
--- a/scripts/finger.nse
+++ b/scripts/finger.nse
@@ -6,7 +6,7 @@ author = "Eddie Bell <ejlbell@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"discovery"}
+categories = {"default", "discovery"}
 require "shortport"
--- a/scripts/ftpbounce.nse
+++ b/scripts/ftpbounce.nse
@@ -3,7 +3,7 @@ description="Checks to see if a FTP server allows port scanning using FTP bounce
 author="Marek Majkowski <majek04<at>gmail.com>"
 license="Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 require "shortport"
--- a/scripts/ircServerInfo.nse
+++ b/scripts/ircServerInfo.nse
@@ -6,7 +6,7 @@ author = "Doug Hoyte"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"discovery"}
+categories = {"default", "discovery"}
 require("stdnse")
 require "shortport"
--- a/scripts/nbstat.nse
+++ b/scripts/nbstat.nse
@@ -9,7 +9,7 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 -- protocol dissector.  I do not believe this constitutes
 -- a derivative work in the GPL sense of the phrase.
-categories = {"discovery", "safe"}
+categories = {"default", "discovery", "safe"}
 -- I have excluded the port function param because it doesn't make much sense
 -- for a hostrule.  It works without warning.  The NSE documentation is
--- a/scripts/robots.nse
+++ b/scripts/robots.nse
@@ -7,7 +7,7 @@ id = "robots.txt"
 author = "Eddie Bell <ejlbell@gmail.com>"
 description = "Download a http servers robots.txt file and display all disallowed entries"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"safe"}
+categories = {"default", "safe"}
 runlevel = 1.0
 portrule = shortport.port_or_service({80,443}, {"http","https"})
--- a/scripts/rpcinfo.nse
+++ b/scripts/rpcinfo.nse
@@ -3,7 +3,7 @@ id = "rpcinfo"
 description = "connects to portmapper and prints a list of all registered programs"
 author = "Sven Klemm <sven@c3d2.de>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"safe","discovery"}
+categories = {"default","safe","discovery"}
 require "shortport"
 require "packet"
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -1,49 +1,70 @@
 Entry{ category = "default", filename = "HTTPAuth.nse" }
 Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
 Entry{ category = "default", filename = "HTTP_open_proxy.nse" }
 Entry{ category = "intrusive", filename = "HTTP_open_proxy.nse" }
 Entry{ category = "intrusive", filename = "HTTPpasswd.nse" }
 Entry{ category = "discovery", filename = "HTTPtrace.nse" }
 Entry{ category = "default", filename = "MSSQLm.nse" }
 Entry{ category = "discovery", filename = "MSSQLm.nse" }
 Entry{ category = "intrusive", filename = "MSSQLm.nse" }
 Entry{ category = "default", filename = "MySQLinfo.nse" }
 Entry{ category = "discovery", filename = "MySQLinfo.nse" }
 Entry{ category = "safe", filename = "MySQLinfo.nse" }
 Entry{ category = "version", filename = "PPTPversion.nse" }
 Entry{ category = "default", filename = "RealVNC_auth_bypass.nse" }
 Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
 Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
 Entry{ category = "default", filename = "SMTPcommands.nse" }
 Entry{ category = "discovery", filename = "SMTPcommands.nse" }
 Entry{ category = "safe", filename = "SMTPcommands.nse" }
 Entry{ category = "default", filename = "SNMPsysdesr.nse" }
 Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
 Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
 Entry{ category = "vulnerability", filename = "SQLInject.nse" }
 Entry{ category = "default", filename = "SSHv1-support.nse" }
 Entry{ category = "intrusive", filename = "SSHv1-support.nse" }
 Entry{ category = "default", filename = "SSLv2-support.nse" }
 Entry{ category = "intrusive", filename = "SSLv2-support.nse" }
 Entry{ category = "default", filename = "UPnP-info.nse" }
 Entry{ category = "safe", filename = "UPnP-info.nse" }
 Entry{ category = "default", filename = "anonFTP.nse" }
 Entry{ category = "intrusive", filename = "anonFTP.nse" }
 Entry{ category = "vulnerability", filename = "bruteTelnet.nse" }
 Entry{ category = "demo", filename = "chargenTest.nse" }
 Entry{ category = "demo", filename = "daytimeTest.nse" }
 Entry{ category = "default", filename = "dns-test-open-recursion.nse" }
 Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" }
 Entry{ category = "demo", filename = "echoTest.nse" }
 Entry{ category = "default", filename = "finger.nse" }
 Entry{ category = "discovery", filename = "finger.nse" }
 Entry{ category = "default", filename = "ftpbounce.nse" }
 Entry{ category = "intrusive", filename = "ftpbounce.nse" }
 Entry{ category = "version", filename = "iax2Detect.nse" }
 Entry{ category = "default", filename = "ircServerInfo.nse" }
 Entry{ category = "discovery", filename = "ircServerInfo.nse" }
 Entry{ category = "malware", filename = "ircZombieTest.nse" }
 Entry{ category = "default", filename = "nbstat.nse" }
 Entry{ category = "discovery", filename = "nbstat.nse" }
 Entry{ category = "safe", filename = "nbstat.nse" }
 Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }
 Entry{ category = "discovery", filename = "promiscuous.nse" }
 Entry{ category = "discovery", filename = "ripeQuery.nse" }
 Entry{ category = "default", filename = "robots.nse" }
 Entry{ category = "safe", filename = "robots.nse" }
 Entry{ category = "default", filename = "rpcinfo.nse" }
 Entry{ category = "safe", filename = "rpcinfo.nse" }
 Entry{ category = "discovery", filename = "rpcinfo.nse" }
 Entry{ category = "default", filename = "showHTMLTitle.nse" }
 Entry{ category = "demo", filename = "showHTMLTitle.nse" }
 Entry{ category = "safe", filename = "showHTMLTitle.nse" }
 Entry{ category = "", filename = "showHTTPVersion.nse" }
 Entry{ category = "default", filename = "showOwner.nse" }
 Entry{ category = "safe", filename = "showOwner.nse" }
 Entry{ category = "demo", filename = "showSMTPVersion.nse" }
 Entry{ category = "demo", filename = "showSSHVersion.nse" }
 Entry{ category = "version", filename = "skype_v2-version.nse" }
 Entry{ category = "backdoor", filename = "strangeSMTPport.nse" }
 Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" }
 Entry{ category = "default", filename = "zoneTrans.nse" }
 Entry{ category = "intrusive", filename = "zoneTrans.nse" }
 Entry{ category = "discovery", filename = "zoneTrans.nse" }
--- a/scripts/showHTMLTitle.nse
+++ b/scripts/showHTMLTitle.nse
@@ -9,7 +9,7 @@ author = "Diman Todorov <diman.todorov@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"demo", "safe"}
+categories = {"default", "demo", "safe"}
 require 'http'
--- a/scripts/showOwner.nse
+++ b/scripts/showOwner.nse
@@ -7,7 +7,7 @@ author = "Diman Todorov <diman.todorov@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"safe"}
+categories = {"default", "safe"}
 portrule = function(host, port)
 	local identd, decision
--- a/scripts/zoneTrans.nse
+++ b/scripts/zoneTrans.nse
@@ -28,7 +28,7 @@ id = 'zone-transfer'
 author = 'Eddie Bell <ejlbell@gmail.com>'
 description = 'Request a zone transfer (AXFR) from a DNS server'
 license = 'Same as Nmap--See http://nmap.org/book/man-legal.html'
-categories = {'intrusive', 'discovery'}
+categories = {'default', 'intrusive', 'discovery'}
 runlevel = 1.0
 portrule = shortport.portnumber(53, 'tcp')