Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSE script output is not under the right host #2175

Closed
mimi89999 opened this issue Nov 7, 2020 · 6 comments
Closed

NSE script output is not under the right host #2175

mimi89999 opened this issue Nov 7, 2020 · 6 comments
Labels

Comments

@mimi89999
Copy link

Describe the bug
NSE script outputs are not printed directly under the scanned host and port. Instead, they are printed much later making them unusable.

To Reproduce

$ nmap -p 80,443 --script=/dev/shm/hostmap-crtsh.nse --script=http-robots.txt --script-args=newtargets lebihan.pl
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-07 16:14 CET
Nmap scan report for lebihan.pl (89.72.190.170)
Host is up (0.00086s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-robots.txt: 1 disallowed entry 
|_/

Host script results:
| hostmap-crtsh: 
|   subdomains: 
|     www.lebihan.pl
|     algorytmy.lebihan.pl
|     biboumi.lebihan.pl
|     conference.lebihan.pl
|     mta-sts.lebihan.pl
|     nextcloud.lebihan.pl
|     www.nextcloud.lebihan.pl
|     jmap.lebihan.pl
|     strona-abcdbanku.com.lebihan.pl
|_    proxy.lebihan.pl

Nmap scan report for www.lebihan.pl (89.72.190.170)
Host is up (0.0020s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan report for algorytmy.lebihan.pl (89.72.190.170)
Host is up (0.0017s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan report for biboumi.lebihan.pl (89.72.190.170)
Host is up (0.0017s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan report for conference.lebihan.pl (89.72.190.170)
Host is up (0.0017s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan report for mta-sts.lebihan.pl (89.72.190.170)
Host is up (0.0017s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan report for nextcloud.lebihan.pl (89.72.190.170)
Host is up (0.0018s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan report for www.nextcloud.lebihan.pl (89.72.190.170)
Host is up (0.0018s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan report for jmap.lebihan.pl (89.72.190.170)
Host is up (0.0018s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan report for strona-abcdbanku.com.lebihan.pl (89.72.190.170)
Host is up (0.0019s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan report for proxy.lebihan.pl (89.72.190.170)
Host is up (0.0020s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-robots.txt: 1 disallowed entry 
|_/
| http-robots.txt: 1 disallowed entry 
|_/
| http-robots.txt: 1 disallowed entry 
|_/
| http-robots.txt: 1 disallowed entry 
|_/
| http-robots.txt: 1 disallowed entry 
|_/
| http-robots.txt: 1 disallowed entry 
|_/
| http-robots.txt: 1 disallowed entry 
|_/
| http-robots.txt: 1 disallowed entry 
|_/

Nmap done: 11 IP addresses (11 hosts up) scanned in 26.15 seconds

Expected behavior
NSE script output should be under the correct host and port as achieved by using --max-hostgroup 1 as a workaround.

$ nmap --max-hostgroup 1 -p 80,443 --script=/dev/shm/hostmap-crtsh.nse --script=http-robots.txt --script-args=newtargets lebihan.pl
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-07 16:15 CET
Nmap scan report for lebihan.pl (89.72.190.170)
Host is up (0.0010s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-robots.txt: 1 disallowed entry 
|_/

Host script results:
| hostmap-crtsh: 
|   subdomains: 
|     www.lebihan.pl
|     algorytmy.lebihan.pl
|     biboumi.lebihan.pl
|     conference.lebihan.pl
|     mta-sts.lebihan.pl
|     nextcloud.lebihan.pl
|     www.nextcloud.lebihan.pl
|     jmap.lebihan.pl
|     strona-abcdbanku.com.lebihan.pl
|_    proxy.lebihan.pl

Nmap scan report for www.lebihan.pl (89.72.190.170)
Host is up (0.0018s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-robots.txt: 1 disallowed entry 
|_/

Nmap scan report for algorytmy.lebihan.pl (89.72.190.170)
Host is up (0.0013s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan report for biboumi.lebihan.pl (89.72.190.170)
Host is up (0.0013s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-robots.txt: 1 disallowed entry 
|_/

Nmap scan report for conference.lebihan.pl (89.72.190.170)
Host is up (0.0013s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-robots.txt: 1 disallowed entry 
|_/

Nmap scan report for mta-sts.lebihan.pl (89.72.190.170)
Host is up (0.0013s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan report for nextcloud.lebihan.pl (89.72.190.170)
Host is up (0.0014s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-robots.txt: 1 disallowed entry 
|_/

Nmap scan report for www.nextcloud.lebihan.pl (89.72.190.170)
Host is up (0.0014s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-robots.txt: 1 disallowed entry 
|_/

Nmap scan report for jmap.lebihan.pl (89.72.190.170)
Host is up (0.0014s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-robots.txt: 1 disallowed entry 
|_/

Nmap scan report for strona-abcdbanku.com.lebihan.pl (89.72.190.170)
Host is up (0.0016s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-robots.txt: 1 disallowed entry 
|_/

Nmap scan report for proxy.lebihan.pl (89.72.190.170)
Host is up (0.0015s latency).
rDNS record for 89.72.190.170: 89-72-190-170.dynamic.chello.pl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-robots.txt: 1 disallowed entry 
|_/

Nmap done: 11 IP addresses (11 hosts up) scanned in 30.62 seconds

Version info (please complete the following information):

  • OS: Debian testing (bullseye) kernel 5.9.0-1-amd64
  • Output of nmap --version:
Nmap version 7.91 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1h libssh2-1.8.0 libz-1.2.11 libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Note: /dev/shm/hostmap-crtsh.nse is the file from #2174

  • Output of nmap --iflist

Additional context
Add any other context about the problem here, such as special network type.

@mimi89999 mimi89999 added the Nmap label Nov 7, 2020
@mimi89999
Copy link
Author

This issue occurs also when passing a domain list: nmap -p 80,443 --script=http-robots.txt lebihan.pl www.lebihan.pl algorytmy.lebihan.pl biboumi.lebihan.pl conference.lebihan.pl mta-sts.lebihan.pl nextcloud.lebihan.pl www.nextcloud.lebihan.pl jmap.lebihan.pl proxy.lebihan.pl

@krzys-h
Copy link

krzys-h commented Nov 7, 2020

It seems to specifically break when you have multiple domain names on the target list with the same IP, likely due to this caveat in nseU_gettarget:

  /* IP is preferred to targetname because it is more unique. Really, though, a
   * user can scan the same IP or targetname multiple times, and NSE will get
   * all mixed up. */

mimi89999 added a commit to mimi89999/nmap that referenced this issue Nov 8, 2020
@mimi89999
Copy link
Author

#2177 should fix this. I hope that it didn't introduce any regressions.

@dmiller-nmap
Copy link

Thanks for reporting this. I think it might have been brought up before, but this time we're fixing it! The upcoming fix will store a pointer to the actual Target object in the host table, instead of looking it up by IP or target hostname. This will guarantee the script output gets put under the correct target, and may fix one or two unusual quirks under similar circumstances with things like nmap.get_ports().

@mimi89999
Copy link
Author

Thanks for fixing this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants
@krzys-h @mimi89999 @dmiller-nmap and others