NSE now has a "default" category for scripts. This category holds the set

of scripts chosen from when using -sC (but it's still just another category
and so can be chosen with --script like any other).

On top of updating the docs with information about this new category, I've
also updated sections to emphasize that the "default" category, -sC and -A
are considered intrusive and should not be run against target networks
without permission.

The new list is very similar to the previous "safe,intrusive" list:

Added: finger, ircServerInfo, RealVNC_auth_bypass
Removed: HTTPpasswd

Here are the 21 scripts in this new category:

anonFTP
dns-test-open-recursion
finger
ftpbounce
HTTPAuth
HTTP_open_proxy
ircServerInfo
MSSQLm
MySQLinfo
nbstat
RealVNC_auth_bypass
robots
rpcinfo
showHTMLTitle
showOwner
SMTPcommands
SNMPsysdesr
SSHv1-support
SSLv2-support
UPnP-info
zoneTrans

docs/refguide.xml

@@ -1939,8 +1939,10 @@ way.</para>
 
         <listitem>
 
-          <para>performs a script scan using the default set of scripts. it is 
-		  equivalent to <option>--script=safe,intrusive</option></para>
+          <para>Performs a script scan using the default set of scripts. It is 
+		  equivalent to <option>--script=default</option>. Some of the
+		  scripts in this category are considered intrusive and should
+		  not be run against a target network without permission. </para>
         </listitem>
       </varlistentry>
 
@@ -3393,10 +3395,12 @@ overwhelming requests.  Specify <option>--open</option> to only see
 	  traceroute (<option>--traceroute</option>). More features may be
           added in the future. The point is to enable a
           comprehensive set of scan options without people having
-          to remember a large set of flags. This option only
-          enables features, and not timing options (such as <option>-T4</option>) or
-          verbosity options (<option>-v</option>) that you might want as
-          well.</para>
+          to remember a large set of flags. However, because script
+          scanning with the default set is considered intrusive, you
+          should not use <option>-A</option> against target networks
+          without permission. This option only enables features, and
+          not timing options (such as <option>-T4</option>) or verbosity
+          options (<option>-v</option>) that you might want as well.</para>
         </listitem>
       </varlistentry>
 

docs/scripting.xml

@@ -182,11 +182,10 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
     <para>NSE scripts define a list of categories they belong to.
           Currently defined categories are <literal>safe</literal>,
           <literal>intrusive</literal>, <literal>malware</literal>,
-          <literal>version</literal>, <literal>discovery</literal> and
-          <literal>vulnerability</literal>.  By default, Nmap runs all
-          scripts in either the <literal>safe</literal> or
-          <literal>intrusive</literal> categories.  Categories are not
-          case sensitive.  The following list describes each category.</para>
+          <literal>version</literal>, <literal>discovery</literal>,
+          <literal>vulnerability</literal> and <literal>default</literal>.
+          Categories are not case sensitive.  The following list
+          describes each category.</para>
 
      <variablelist>
         <varlistentry>
@@ -264,6 +263,21 @@ Nmap finished: 1 IP address (1 host up) scanned in 0.907 seconds
             <para>These scripts check for a specific vulnerability and report results only if it is found.</para>
           </listitem>
         </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>default</option>
+          </term>
+          <listitem>
+            <para>These scripts are the default set and are run when
+            using <option>-sC</option>.  This category can also be
+            specified like any other with <option>--script</option>.
+            Don't be fooled into thinking that just because these scripts
+            are run by default that they are all completely unobtrusive:
+            these scripts should not be run against target networks without
+            permission.</para>
+          </listitem>
+        </varlistentry>
     </variablelist>
 
     </sect2>
@@ -317,8 +331,9 @@ $ nmap -sC --script-args user=foo,pass=bar,anonFTP={pass=ftp@foobar.com}
           </term>
           <listitem>
           <para>Performs a script scan using the default set of scripts. It is 
-              equivalent to
-              <option>--script=safe,intrusive</option>.</para>
+		  equivalent to <option>--script=default</option>. Some of the
+		  scripts in this category are considered intrusive and should
+		  not be run against a target network without permission. </para>
           </listitem>
         </varlistentry>
 
@@ -3297,7 +3312,7 @@ also get stored inside the <literal>registry</literal>.</para>
 		<para>
 		The next phase of NSE initialization is loading the chosen
 		scripts, which are the arguments provided to the 
-		<option>--script</option> option or <literal>safe,intrusive</literal>, in 
+		<option>--script</option> option or <literal>default</literal>, in 
 		case of a default script scan.  The string <literal>version</literal> 
 		is appended, if version detection was enabled.
 		The arguments afterwards are tried to be 

nmap.cc

@@ -256,7 +256,7 @@ printf("%s %s ( %s )\n"
        "  --version-trace: Show detailed version scan activity (for debugging)\n"
 #ifndef NOLUA
        "SCRIPT SCAN:\n"
-       "  -sC: equivalent to --script=safe,intrusive\n"
+       "  -sC: equivalent to --script=default\n"
        "  --script=<Lua scripts>: <Lua scripts> is a comma separated list of \n"
 	   "           directories, script-files or script-categories\n"
 	   "  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts\n"

nse_init.cc

@@ -310,9 +310,7 @@ int init_pick_default_categories(std::vector<std::string>& chosenScripts) {
 	if(	(o.script == 1 
 		 && chosenScripts.size() == 0) )
 	{
-		chosenScripts.push_back(std::string("safe"));
-		chosenScripts.push_back(std::string("intrusive"));
-		// chosenScripts.push_back(std::string("vulnerabilities"));
+		chosenScripts.push_back(std::string("default"));
 	}
 
 	// we append the implicitely selected categories

scripts/HTTPAuth.nse

@@ -11,7 +11,7 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
 -- uncomment the following line to enable safe category
 -- categories = {"safe"}
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 
 require "shortport"
 require "http"

scripts/HTTP_open_proxy.nse

@@ -7,7 +7,7 @@
 
 id="Open Proxy Test"
 description="Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: GWS/' header response."
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 
 -- I found a nice explode() function in lua-users' wiki. I had to fix it, though.
 -- http://lua-users.org/wiki/LuaRecipes

scripts/MSSQLm.nse

@@ -9,7 +9,7 @@ author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"discovery", "intrusive"}
+categories = {"default", "discovery", "intrusive"}
 
 require('stdnse')
 require "shortport"

scripts/MySQLinfo.nse

@@ -15,7 +15,7 @@ author = "Kris Katterjohn <katterjohn@gmail.com>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = { "discovery", "safe" }
+categories = { "default", "discovery", "safe" }
 
 require 'bit'
 

scripts/RealVNC_auth_bypass.nse

@@ -3,7 +3,7 @@ description="Checks to see if the VNC Server is vulnerable to the RealVNC authen
 author = "Brandon Enright <bmenrigh@ucsd.edu>" 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"backdoor"}
+categories = {"default", "backdoor"}
 
 require "shortport"
 

scripts/SMTPcommands.nse

@@ -31,7 +31,7 @@ id = "SMTPcommands"
 description = "Attempts to use EHLO and HELP to gather the Extended commands an SMTP server supports."
 author = "Jason DePriest <jrdepriest@gmail.com>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"discovery", "safe"}
+categories = {"default", "discovery", "safe"}
 
 require "shortport"
 require "stdnse"

scripts/SNMPsysdesr.nse

@@ -9,7 +9,7 @@ author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"discovery", "safe"}
+categories = {"default", "discovery", "safe"}
 
 require "shortport"
 

scripts/SSHv1-support.nse

@@ -2,7 +2,7 @@ id="SSH Protocol Version 1"
 description="Checks to see if SSH server supports SSH Protocol Version 1."
 author = "Brandon Enright <bmenrigh@ucsd.edu>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 
 require "shortport"
 

scripts/SSLv2-support.nse

@@ -3,7 +3,7 @@ description = "determines whether the server (still) supports SSL-v2, and what c
 author = "Matt <mb2263@bristol.ac.uk>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 
 require "shortport"
 

scripts/UPnP-info.nse

@@ -9,7 +9,7 @@ author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"safe"}
+categories = {"default", "safe"}
 
 require("stdnse")
 require("shortport")

scripts/anonFTP.nse

@@ -6,7 +6,7 @@ author = "Eddie Bell <ejlbell@gmail.com>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 
 require "shortport"
 

scripts/dns-test-open-recursion.nse

@@ -6,7 +6,7 @@ author = "Felix Groebert <felix@groebert.org>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 
 require "bit"
 require "shortport"

scripts/finger.nse

@@ -6,7 +6,7 @@ author = "Eddie Bell <ejlbell@gmail.com>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"discovery"}
+categories = {"default", "discovery"}
 
 require "shortport"
 

scripts/ftpbounce.nse

@@ -3,7 +3,7 @@ description="Checks to see if a FTP server allows port scanning using FTP bounce
 author="Marek Majkowski <majek04<at>gmail.com>"
 license="Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"intrusive"}
+categories = {"default", "intrusive"}
 
 require "shortport"
 

scripts/ircServerInfo.nse

@@ -6,7 +6,7 @@ author = "Doug Hoyte"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"discovery"}
+categories = {"default", "discovery"}
 
 require("stdnse")
 require "shortport"

scripts/nbstat.nse

@@ -9,7 +9,7 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 -- protocol dissector.  I do not believe this constitutes
 -- a derivative work in the GPL sense of the phrase.
 
-categories = {"discovery", "safe"}
+categories = {"default", "discovery", "safe"}
 
 -- I have excluded the port function param because it doesn't make much sense
 -- for a hostrule.  It works without warning.  The NSE documentation is

scripts/robots.nse

@@ -7,7 +7,7 @@ id = "robots.txt"
 author = "Eddie Bell <ejlbell@gmail.com>"
 description = "Download a http servers robots.txt file and display all disallowed entries"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"safe"}
+categories = {"default", "safe"}
 runlevel = 1.0
 
 portrule = shortport.port_or_service({80,443}, {"http","https"})

scripts/rpcinfo.nse

@@ -3,7 +3,7 @@ id = "rpcinfo"
 description = "connects to portmapper and prints a list of all registered programs"
 author = "Sven Klemm <sven@c3d2.de>"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"safe","discovery"}
+categories = {"default","safe","discovery"}
 
 require "shortport"
 require "packet"

scripts/script.db

@@ -1,49 +1,70 @@
+Entry{ category = "default", filename = "HTTPAuth.nse" }
 Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
+Entry{ category = "default", filename = "HTTP_open_proxy.nse" }
 Entry{ category = "intrusive", filename = "HTTP_open_proxy.nse" }
 Entry{ category = "intrusive", filename = "HTTPpasswd.nse" }
 Entry{ category = "discovery", filename = "HTTPtrace.nse" }
+Entry{ category = "default", filename = "MSSQLm.nse" }
 Entry{ category = "discovery", filename = "MSSQLm.nse" }
 Entry{ category = "intrusive", filename = "MSSQLm.nse" }
+Entry{ category = "default", filename = "MySQLinfo.nse" }
 Entry{ category = "discovery", filename = "MySQLinfo.nse" }
 Entry{ category = "safe", filename = "MySQLinfo.nse" }
 Entry{ category = "version", filename = "PPTPversion.nse" }
+Entry{ category = "default", filename = "RealVNC_auth_bypass.nse" }
 Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
 Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
+Entry{ category = "default", filename = "SMTPcommands.nse" }
 Entry{ category = "discovery", filename = "SMTPcommands.nse" }
 Entry{ category = "safe", filename = "SMTPcommands.nse" }
+Entry{ category = "default", filename = "SNMPsysdesr.nse" }
 Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
 Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
 Entry{ category = "vulnerability", filename = "SQLInject.nse" }
+Entry{ category = "default", filename = "SSHv1-support.nse" }
 Entry{ category = "intrusive", filename = "SSHv1-support.nse" }
+Entry{ category = "default", filename = "SSLv2-support.nse" }
 Entry{ category = "intrusive", filename = "SSLv2-support.nse" }
+Entry{ category = "default", filename = "UPnP-info.nse" }
 Entry{ category = "safe", filename = "UPnP-info.nse" }
+Entry{ category = "default", filename = "anonFTP.nse" }
 Entry{ category = "intrusive", filename = "anonFTP.nse" }
 Entry{ category = "vulnerability", filename = "bruteTelnet.nse" }
 Entry{ category = "demo", filename = "chargenTest.nse" }
 Entry{ category = "demo", filename = "daytimeTest.nse" }
+Entry{ category = "default", filename = "dns-test-open-recursion.nse" }
 Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" }
 Entry{ category = "demo", filename = "echoTest.nse" }
+Entry{ category = "default", filename = "finger.nse" }
 Entry{ category = "discovery", filename = "finger.nse" }
+Entry{ category = "default", filename = "ftpbounce.nse" }
 Entry{ category = "intrusive", filename = "ftpbounce.nse" }
 Entry{ category = "version", filename = "iax2Detect.nse" }
+Entry{ category = "default", filename = "ircServerInfo.nse" }
 Entry{ category = "discovery", filename = "ircServerInfo.nse" }
 Entry{ category = "malware", filename = "ircZombieTest.nse" }
+Entry{ category = "default", filename = "nbstat.nse" }
 Entry{ category = "discovery", filename = "nbstat.nse" }
 Entry{ category = "safe", filename = "nbstat.nse" }
 Entry{ category = "version", filename = "netbios-smb-os-discovery.nse" }
 Entry{ category = "discovery", filename = "promiscuous.nse" }
 Entry{ category = "discovery", filename = "ripeQuery.nse" }
+Entry{ category = "default", filename = "robots.nse" }
 Entry{ category = "safe", filename = "robots.nse" }
+Entry{ category = "default", filename = "rpcinfo.nse" }
 Entry{ category = "safe", filename = "rpcinfo.nse" }
 Entry{ category = "discovery", filename = "rpcinfo.nse" }
+Entry{ category = "default", filename = "showHTMLTitle.nse" }
 Entry{ category = "demo", filename = "showHTMLTitle.nse" }
 Entry{ category = "safe", filename = "showHTMLTitle.nse" }
 Entry{ category = "", filename = "showHTTPVersion.nse" }
+Entry{ category = "default", filename = "showOwner.nse" }
 Entry{ category = "safe", filename = "showOwner.nse" }
 Entry{ category = "demo", filename = "showSMTPVersion.nse" }
 Entry{ category = "demo", filename = "showSSHVersion.nse" }
 Entry{ category = "version", filename = "skype_v2-version.nse" }
 Entry{ category = "backdoor", filename = "strangeSMTPport.nse" }
 Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" }
+Entry{ category = "default", filename = "zoneTrans.nse" }
 Entry{ category = "intrusive", filename = "zoneTrans.nse" }
 Entry{ category = "discovery", filename = "zoneTrans.nse" }

scripts/showHTMLTitle.nse

@@ -9,7 +9,7 @@ author = "Diman Todorov <diman.todorov@gmail.com>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"demo", "safe"}
+categories = {"default", "demo", "safe"}
 
 require 'http'
 

scripts/showOwner.nse

@@ -7,7 +7,7 @@ author = "Diman Todorov <diman.todorov@gmail.com>"
 
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 
-categories = {"safe"}
+categories = {"default", "safe"}
 
 portrule = function(host, port)
 	local identd, decision

scripts/zoneTrans.nse

@@ -28,7 +28,7 @@ id = 'zone-transfer'
 author = 'Eddie Bell <ejlbell@gmail.com>'
 description = 'Request a zone transfer (AXFR) from a DNS server'
 license = 'Same as Nmap--See http://nmap.org/book/man-legal.html'
-categories = {'intrusive', 'discovery'}
+categories = {'default', 'intrusive', 'discovery'}
 runlevel = 1.0
 
 portrule = shortport.portnumber(53, 'tcp')