== GSoC 2011 TASKS: o Work on my GSoC vulnerability and exploitation script ideas: https://secwiki.org/w/Nmap/Script_Ideas#Djalal_Harouni o Review all the "Improve NSE HTTP architecture" proposal suggetions and comments, and try to include them and update the proposal. http://seclists.org/nmap-dev/2011/q2/967 o Start a thread on Nmap-dev about users favorite Nmap and NSE commands, and create a special page for it in the secwiki.org site. This will also let us to create more scan profiles for Zenmap. == 1) Nmap Scripting Engine Infrastructure: o NSE Version Numbering. http://seclists.org/nmap-dev/2010/q4/693 [Other tasks] o Propose a better duplicate scanned IPs filtering engine. 2) NSE Scripts: [Priorities tasks] o NFS/RPC features: - add NFS READLINK support to let nfs-ls show symbolic files. o Review NSE scripts and libs, and fixing bugs: - Document all the new NFS procedures. [Other tasks] o NFS/RPC features: - Add more authentication support: Unix authentication. - NFSv4 support. - Add recursion support to nfs-ls.nse == MAYBE: o Create a new rule "versionrule" which will be used by version category scripts. http://seclists.org/nmap-dev/2010/q3/551 o NSE debugger. o Add more NSE control for long running scripts: one option will be a boolean expression filter (like: tcpdump) which will change NSE scripts arguments or behaviour according to previous results, this will be really useful for big networks. Another option will be a generic NSE (Lua) script with an easy and readable code that includes expressions or filters selection to let us change NSE arguments according to previous results. Note: this option will be useful on big networks. however for the moment this is a simple idea and it needs further discussion on the nmap-dev. o Privileges dropping for NSE scripts [nmap TODO list]. o NSE security review [nmap TODO list]. o Fixing bugs. - NSE not honoring the source port flag when doing version scan. http://seclists.org/nmap-dev/2010/q2/576 David said that it will not be easy to support setting the source port http://seclists.org/nmap-dev/2010/q3/331 == DONE: 1) Nmap Scripting Engine Infrastructure: o Submitted the "Improve NSE HTTP architecture" proposal http://seclists.org/nmap-dev/2011/q2/967 o Make NSE scripts able to retrieve the interface network information. o LuaFileSystem directory iterator [1] port. [1] http://keplerproject.github.com/luafilesystem/ o New class of scripts which use two new script rules: - Script Pre-scanning and Script Post-scanning rules: "prerule" and "postrule". Documented these new phases. - Update scripts to use these new rules: dns-zone-transfer now uses "prerule" and "portrule". o Update other parts of Nmap book to show the new Script scan phases. o Fixing bugs: - NSE not honoring the Exclude directive bug fixed and committed as r18467. o Let NSE "prerule", "portrule" and "hostrule" scripts to add new discoverd targets to Nmap. o Update scripting.xml to show the new script scan phases. 2) NSE Scripts: o smtp-vuln-cve2011-1764 script to check Exim DKIM Format String vulnerability (CVE-2011-1764). o Updated and Improved ftp-vsftpd-backdoor to detect the vsFTPd backdoor (CVE-2011-2523). o ftp-vuln-cve2010-4221.nse script to check the ProFTPD Telnet IAC stack overflow (CVE-2010-4221). o smtp-vuln-cve2010-4344 script to check and exploit Exim SMTP Server: heap overflow (CVE-2010-4344) and privileges escalation (CVE-2010-4345) o SMTP library. o Rewritten SMTP scripts to use the smtp library: - smtp-commands - smtp-open-relay - smtp-enum-users o smtp-vuln-cve2011-1720 script to check for CVE-2011-1720 o broadcast-avahi-dos script to check for CVE-2011-1002 o NFS/RPC features: - New script: nfs-ls which combines nfs-dirlist and nfs-acls and try to emulates some features of the old "ls" unix tool. The script support NFSv2 and NFSv3. - Readapted the RPC and NFS library code with a new re-design with new high level functions. - Added NFS procedures support: NFSv2: LOOKUP NFSv3: FSSTAT, FSINFO, READDIRPLUS, PATHCONF, ACCESS, LOOKUP