BSidesSLC 2017 -- Jason Wood -- Get Started Writing Nmap Scripts

[Music] so I want to thank Chris for his presentation because it leads right into mine I know it's something that the b-sides group was kind of jazzed about stacking the two together having a you know an intro to nmap and then follow up with writing and map script Sean made the comment to me last night that you know typical nmap talk and I've done this a couple times myself hey nmf has a scripting engine it's great it's fabulous it's flexible we don't have time to talk about one we've blown so I decided try and address that a little bit alright my name is Jason wood I am the owner and founder of paladin security are you penetration

testing and security code salting and working on training right now I actually am also a red team member at a very large Bank that allows me to do my own thing with the condition that I never mentioned their name so they're really pretty strict on on what our employees are allowed to do so I respect that so they I can keep doing what I would like and i work as a CyberPatriot mentor if you hear me have heard me talk before I usually bring this up every time CyberPatriot is a Air Force Association sponsored program to teach middle school and high school kids and even now that pushing it down to elementary school computer security how to it get

basically a busted VM with backdoors on it or badly configured security it's got score bots on it and their form up in the teams and they compete nationally against each other I think it's a great program just as a way of well a couple things I mean one you get kind of exciting and working with these kids because they get excited and you feed off of that and to just a nice way to give back I think and teach some of the upcoming folks moving into our community any scripts that I mentioned in his talk that I've done if you're not a ton are going to be up on my github account as well as the slides so if you want to

pull those down you're welcome to it I just did to think of the slides this morning so they're they're up to date so the end map scripting engine likes as Chris said started out and map was a port scanner that's that's what it did and they ran into the idea to some issues though they wanted to do some more flexible testing and they couldn't do it they couldn't share information between different network checks and stuff like that very well and this was a problem that they wanted to to address and they didn't want to get into the situation of they were the sole source or place where somebody could come up with a check of some sort which if they

had you know not done the scripting engine they'd all the stuff would be coded in C or C++ and I don't know about you all I've done a little bit of C but don't trust me to do you know anything of a of any importance whereas the scripting languages within my my graphs so you provided them that flexibility and they it allowed them to put that capability out into everybody's hands they don't have to write all of the checks they can just have people submit them and and then add them to the project repository like Chris said they the scripting engine runs on using Lua scripting language and there's actually talk we've got fyodor another gentleman who

work on the MF who also works in the MF project they were talking about some of the reasons why they decided to go down the route of using Lua one they didn't want to run into a situation where because they were coding this stuff and C or C++ or they were going to start dealing with buffer overflows or whatnot I didn't want to introduce security vulnerabilities into the into the to the application and to they looked at it and it's like okay well that means we want to a scripting language do we roll our own scripting language or do we use something that's already exists and so they looked around at a few different languages it wanted something that was

going to be easy pretty easy to embed into the application and that was fairly mature and well documented and so they selected Lua for that and so it's been around for quite a while I believe since 1993 and as it sits right now as of yesterday I believe when I checked there are 558 scripts available when they originally you know you go back a few years there was a hundred and fifty or so so it's starting to grow a little bit faster it definitely has the ability because of the flexibility built into this to almost be like a vulnerability scanner something like a command-line meses but you know there's some differences there right nessus is

written by a company that puts a lot of money into paying people for write plug-ins to look for issues and map it was primarily devoted towards network scanning and they certainly don't have that type of organization set up to pay people to write checks so it's doesn't have anything close to that that level of features but that doesn't mean that we can't add specific things that we want to look for so why are we going to write an NSC script what's our benefit well one of the first things that got me thinking about this a little bit because what I would typically do is I used n map all the time I'd crack the thing open you know

crack open some of the scripts to see okay what is this script do does it apply to a penetration test I'm working on or Jesus just sounds interesting what are they doing here but what got me interested in this more was in doing penetration test part of what we do is we provide the results back to our clients and say hey here's the problems we found here's how you can confirm that this is in your environment then you can use this to check and see once you fix things whether or not things are have been applied correctly I thought wouldn't it be neat to be able to provide at least some of that those checks though that testing mechanism in

something like an antiserum to a client just say hey here's how you run the command run it against the scripts aim it at this asset or assets and there you go you can validate it inside your environment so that was what got me interested in this if you work inside of a company as a security engineer so you're not out hitting different companies or clients like I do one of the things I had thought of as a security engineer was similar to that one I was working at whole time at a place was I will sure would like to get some security testing into my developers hand or QA groups hands so wouldn't it be nice if I came up with hey we've got

this flaw in this application QA is primarily responsible for determining whether or not a flaw has been fixed or not going to be nice to give them a script that would handle this and so okay and there's another use case for for use an NSC now I could do that in Python or Ruby or what have you but you know here's a framework ready to go and others that you can come up obviously you've found some kind of issue let's say you're doing some security research and you you want to release checks for that out to the public you could write up an NSC script about what you found how to detect it and then

send it over the in map project that accepted it it gets put into the repository now folks can scan for that across their environment so like one of the things you see inside the list of scripts is shellshock and when that came out everybody was scanned everything looking to see where they could find that because it was turning up in all kinds of odd and unusual places so that's a little bit about NSE in the background on it but before we start looking at writing any type of script let's take a look at the Lua scripting language itself I saw a couple of hands when Chris asked who had developed scripts for World of Warcraft has anybody written any scripts

in Lua previously that's here a couple people it's just a few folks okay so you're going to look at this and go well duh because this is going to be really simple syntax you know common stuff that we're going to use but we're going to go talk about that real quick get a feel for what the syntax looks like like I said in Glu was first released in 93 it's a very lightweight scripting language you just embed it into other applications they built it that way and it's really well-documented Wireshark uses it as part of their project and so you can video pretty big in the video game realm as well so let's just start

off with some basics you know we're going to need to for writing code we need to write comments what the heck were you thinking when you trying to do this right there's the way of doing a comment is just two dashes in front of it and then whatever comes out forwards you can put down there it's no big deal if there's a little bit of a convention for multi-line comments so you'll see three dashes and then two dashes for everything else and then they wrap up with three dashes to kind of signify and I'm done not a big deal but you know I tend to default to the pound sign and that's not the case here assignment is

really simple Z equals some value right you're not declaring that oh this is going to be string or this is gonna be an integer or anything like that one thing that I thought was kind of interesting in assignment is I can declare three variables and then give it two values and the way that works out if I was to you know do a comma B comma C equals zero comma one and then I print a comma B comma C it's going to be the first value on the right gets assigned to the first variable on the left the second one gets assigned to the second variable on the left the third variable just just gets given a an

ill you know it's we you declared that this variable exists you can use it later but it doesn't have anything in it so you can do this kind of multi-line declaration which one that first saw this and it's in some examples really like wait what the heck is going on here this doesn't match we've got the concept of global variables as well as local variables and I've got a little bit of a typo here but global variables are just that declare wants that you can use it anywhere right just like with any programming language though we want to be careful where we put our we use global variables some places that make sense but for the most

part we want to use local variables local variables are good scoped to the block of code that they're defined in so if I write a function and I have declare a local variable inside of that function it's good inside of that function it's not good outside of that function at all so if I declared fubar inside of a function I can't call it once I've exited it and I mean some other bit of code

now if you're looking at this code is if you've done any scripting this should be fairly readable right it's not like Python it gets really strict about your white spaces but it's not like C or Java where you have to terminate every line with a semicolon so in this case we're just declaring a function you know called attack some host because this is for an nmap check we've got to give it the host and the pork this applies to and then we declare some variable in here which I've done eric lee just called an attack we do some stuff and then when we're done with the function we do a return to send back the data to

whatever called this thing and then we just use end to mark the end of our function so that's pretty free straightforward no curly brackets or anything like that to wrap around or functions all right tables this is something that I'm still struggling with I'll be honest with you writing this coming up with this talk was driven off of my interest in learning how to write NSC scripts so one of the things I'm still grappling with is that inside of lua if every type of data structure is a table well I don't want to I want an array that's fine you can declare an array just like this ae equals curly brackets right and then you

populated but that array is inside of a table well I want to do linked lists like I can do in C or C++ that's fine it's inside of a table so this is something that it takes some some getting used to I'm still getting used to it matrices multi-dimensional arrays or several others that I'm not remembering off the top of my head but that's something you're going to want to focus on and look at the documentation on to be honest with you a lot of times what I'll do is I'll crack open other NSC scripts to see how they did it you know try and find something kind of similar and use what their their demonstrating

okay if with you know if then statements if some conditions then go do something else we wrap it up with an end when then if we are doing multiple conditions we've got if something rather than do this else if this other thing do something entirely different and then you know we've got our default case here we didn't match anything so we're going to just toss there so pretty easy to work your way through there or loops are the same kind of thing now this is kind of an interesting or loop I want to point something out here we're going to do a for loop over pairs of this response cookies so we've got on we've

done an HTTP request we've gotten a response back we're extracting the cookies out of it we may have more than one cookie we probably have more than one cookie and we want to print out what that value is this theta when you run it in pairs is going to come out with index and then the value well I don't care about the index I'm not going to use that we was answer that is fine just use an underscore so underscore comma cookies which basically is kind of like tosses it out into the trash over here yes we've syntactically made the correct call but I don't care about the indexes just giving my data which is not something I

have really run into much before so that caught my attention you can go ahead into the other process of saying hey you know if this or excuse me like a for this condition and is true you know something some value is less than ten or whatever it is loop until you know it's no longer less than ten in this case though I just want to use one of their their built-in functions here for pairs while loops are pretty much the same thing wallet a we declare our iterator variable while a it has some elements of I do whatever in this case we're just going to print out that element inside of the array and then

we'll increment the iterator variable and then when we're done we just mark it as in I don't know that's a good question I didn't look at that I ran into it once I thought about it and I didn't really look it up and follow up that's a good question so yeah I'm second and by the way if you guys do have any questions throughout this please feel free to fire way in the middle of it doesn't bother me in the slightest okay so that's just some basic and it's our lewis syntax my col and covering that quickly was just so that as we're going through things you can kind of see you know have a foundation

on what we're what you're looking at

you okay every NSC script has three components to it you've got the head the rule and then the action and I've done this useless looking example up here that actually doesn't work because I'm not doing anything but we start off with the head this is where we're going to do our imports we want to import this particular library we want to give our description of it what is it that this NS skis NSE script is trying to accomplish that's actually picked up by the NSC docks engine and used for documentation we're going to take a look at categories here in a moment but one of the things that nmap does is it has a concept of

categories that a and it can be more than one I could have this is safe and default there you go safe an the default category and what that tells in math is hey we've just enabled all of the scripts and this script happens to apply and it's safe so we're not going to crash any something so awesome go ahead and run it if it's intrusive or a denial of service or a brute force or something like that and map is not going to run that automatically because the last thing it wants to do is have somebody turn they want to do is have somebody turn this thing loose on their environment and then crash their web form or whatever

all at once you know it would make for a pretty miserable day then we get into the rule the rule is basically what condition are we matching that we're going to actually do the action so a quick easy way of doing this is they've got a library called short port instead of notating and I've got an example later yeah the port is 110 let's say for 3 and it's got the port is open then we've got some other value you know characteristic that we're looking at in this case we can just simply declare it hey we've got a well-known protocol in this case HTTP short HTTP if that's true port rule matches we move on to the

action if there wasn't the webserver on this thing it wasn't on port 80 it didn't match HTTP or what have you or any other common web ports and it's going to just ignore the rest of the actions it doesn't apply and then finally we get into the action and we send the host and the port number that we're interested in potentially some more information and we go do stuff and then return that result back to and map to give us the output all right here are all of the different categories at this point you can see the dangerous ones up here right brute brute force denial of service exploit intrusive malware usually refers to checking for the presence of malware on

a system so it's not infecting it with malware it's a safe script we're checking for a vulnerability what have you buzzer so we're going to throw a bunch of crap at this thing to see how it responds right you just want to make sure as you're writing your scripts to put the category in there that's one of the requirements we've got to have that and make sure it's appropriate to what it is you're doing if you're doing something that's testing for sequel injection on a web form in this application and I would put that as intrusive right this is not a safe necessarily a safe script we could have bad things happen potentially but all

I'm doing is a banner grab well that's that's safe enough okay the other thing that we have to remember is nmap is a port scanner so everything it does goes back to a port so in this case or the previous example here with the short for HTTP it's going to be port 80 or 443 or 8080 something like that right that's finding a webserver it's found an open port it's associated with that service and therefore the checks that we're going to do are actually going to apply to this thing and then we'll go ahead and run them and this is a quick script actually that I had written we'll take a look at here a bit that all it does is

grab the cookie value hits a webpage and says hey what cookies got sent to me and grabs those now why did I want to do that look I want to do honestly I just wanted to get be able to get the cookie so that I could then do an authentication attempt and use those cookies let's do something else as an authenticated user in the application and I needed to start out by figuring out how the heck do I get cookies in the first place okay but it all ties back to to some service so if you're familiar with and map results port state service ATT CP open HTTP that looks very familiar and then the four

lines below that's the script any questions can you overwrite so if the service is on a non-standard port and the check port failed so it doesn't know what state it's in or

okay so there's the answer is going to be kind of it depends if the port rule is written in a way that I want to look at 84 43 and 80 80 or something like that nope it didn't match I'm not going to look at it if I'm doing like short port HTTP which is doing some service recognition a little bit and I have service verification or validation occurring on this and it says hey that's an HTTP server now sure it's on some stupid Court like twenty five thousand and thirty four but I still recognize as an HTTP server so now it applies that make sense good question I like any others oh okay alright there are already 128 libraries

specifically written for NSE that are available to us I grabbed some of the more common ones that I thought hey this might be useful on a more regular basis to display up here we're going to be dealing with files potentially so we've got the data file library we're going to be doing with brute-force attacks there's a library for brute force hey I'm in a Windows environment and so we want to do a lot of stuff with SMB there's a full library written for that and there's a whole bunch of scripts written for that as well they're geared up specifically at SMB checks a guy I know named Ron Bo's actually wrote most of those and he

spent a bunch of time researching and figuring out how to query or send you know request to the SMB service and get a response back in some way that makes sense it was kind of funny we were talking about this thing at Derby Con last year the year before and he made the comic says yeah if I was not to do that again I'd have to relearn a whole bunch of stuff like any scripting languages to kind of use it or lose it type of proposition right so you know you want to work with this stuff and keep going some of the common ones that we are going to use though across all scripts that are useful

we've got I've kind of bolded here the the nmap library the NSC debug short port STD STD NSC these are you know just some kind of standard libraries to aid us in our scripting now one interesting one I wanted to point out here you've got the UN PWD database username and password database you're doing a brute-force attack they actually have a password database functionality built into it already so you can just call that and use that instead so that's that's potentially very handy we've already seen this in the in the head of the NSE scripts this is where we're going to do our imports typically we can do them later but I can mention we do them all up front so in

this case we're calling new HTTP short port and SD standard embassy alright next off of the port rules now we've seen the easy way write short port HTTP fabulous that's that's nice and easy to remember okay here's a more complex one so instead we're going to say okay and the port rule is now a function and the off port we're going to validate this it's going to be on port 1 1 3 where you looking at ID identity identity can't talk so the port is 1 1 3 it's on TCP we get the state of all of that is the port open is it the identity identity service is that open and as the port's the TCP

port open to do the port rule we can get more complex so this is where you kind of going back to what you were talking about is where we can give ourselves a lot of room or write ourselves into a corner but nothing else will happen if this doesn't match this doesn't come back true that yep we match all of these conditions then the action never actually runs this is like I said this is the shorter way of doing it yeah different services look at the NSE Docs and see what you have available to you okay now we're getting to the part where I'm decided to try and be a little gutsy and we're going to just open up and terminal and a

text editor and I've got my cheat sheet on the side so I get stuck I'll have somewhere to go you

you

you

right

you

a

is that readable back there at all I didn't think so you

you there we go how we doing all right and if I start getting things too low on the screen I need to raise things up let me know so I'll do that too

and [Music] we'll be the same thing here

you

you okay that good - on the terminal okay so let's try and write some nmap scripts here leggo so Chris mentioned that he had them worthless and map script or NSC script possible I'm actually going to make one that's more useless than that because it is actually did tell you that there was a port there and that is potentially useful even though nmap would have already said that anyhow so let's start off first thing that we need is is going to be the head then we're going to have rule and then the action so let's set that up so the first thing we're going to need is our description of what it this is so

get up in front of a groupie we can type anyone all right and we'll say Liggett Orry bro sorta what's that oh it does change the meeting a little bit the myth however you can argue that that might apply particularly the demo gods decide that they don't like me very much there are other things you can put in here you can say you know just for informational purposes I can say hey the author is me but we do that's not you know we don't have to have that we do need the categories

all right yes okay this is going to be safe because all we're doing is hello world so this isn't particularly dangerous fabulous and then we're going to have our port rule you

okay now I've got a web store or that we're going to hit this with and because I'm using short Court you could go back up here to the top and say local short court because we're just limiting this to this particular script we're declaring it for this block of code short port is equal to wire fabulous

oh yeah that was supposed to be an assignment thank you that would have exploded in my face in just a moment which I guarantee I'm going to do a couple of times while we're up here all right so now we've got the head completed we've got the port rule set up the action is going to be pretty simple where I say action is a oops to a function we're going to set up the host and the port and cool call some variable called

hi there is equal to hello everyone and then we're going to return hi there we've got to send that back to the scanning engine and then we end it then we've got to save this I don't want to save it to that directory where soon as the trouble about having us out

a world NSE and save it such over to our command line so we'll see over to

alright here's our NSE script and my Webster will need double check and make sure in the right IP address perfect so I have a web VM run here just with a website on him you don't have to I drew it in this case because this is outside of the standard install location if I copied this file to user local share and map scripts then I wouldn't have to I could run in map from anywhere and it would just no go look here for my scripts because this is a custom written script and I've got to say somewhere on the file system I either have to specify the path to it or I have to run it from that directory

so-and-so will do n map we're not going to try and enumerate all the ports in the world on this thing 480 - - script because we can want one particular script and it's called hello world you don't typically call it with a dot NS e on the end of it in this case I get autocomplete so it tried to add it in and then our IP address is 170 216 165 dot 142 ok and just for grins we're going to add the dash D to our command which is debug because you're going to want this this one I think we're pretty safe on but as I'm writing things you get syntax errors and crap like that all Sutton without

running the - D - just explode there's no didn't work add this now you find out what the syntax error was okay it actually works so we get a whole lot of skew from from nmap let's get rid of that - D okay and so we've got our results key hi did a script and it worked fortunately with some help from my my editor peer review out here exactly but sure enough I have run in the webserver just like I said I was right and because we found that we matched the rule and then it dumped out hi there or hello everyone notice that I didn't really specify anything other than just I didn't format

this at all right I just had returned the text back and math did what it did said hey this came from the hello world and a C script and there's your results have fun okay alright so that's kind of cool but you know not particularly exciting so let's switch back and then it will do a new script you we're going to make this one a little bit more involved okay so we've got I'm gonna use short port again because I am a lazy bum and I don't why make things harder for me than I have to now we're going to actually in talk with the HTTP service we're going to get something back from it and look at the

results so we need to import the HTTP library

oops acquire HTTP I'm going to do some stuff with the standard NSC library so we'll have that here

you okay so starting off our head give the description

you what we're going to do with this script is we're going to just get the cookie values back from the site okay now another part of the anytime we are in do it a script that we might distribute to other people is it's kind of helpful to have some kind of guidance here on what we're supposed to do write a little bit of help on on how we're going to run this so we're going to add a comment in here and this feeds into the NSC dots as well and give the usage at usage and then [Music] map our targets and - - script and we'll call this script get cookie and the just as an example of what

should come out we have our example output that they can expect we'll see something like see 680 HTTP open h CP CP and it will be check cookie

you

you

all right so there's our usage right so we've now done a little documentation got to add our categories and this is going to be equal to so what do you guys think we're going to hit a website and grab some cookies safe dangerous intrusive safe yeah we're not doing anything unusual so we'll go ahead and call this safe safe clip enough are you guys able to read this down here at the bottom unknown down there okay all right and then our port rule we finished the head court rule short cord on HTTP and move on to the action action is function we have a host ports

we start into anything just for convention you

so we're going to do a local variable of a response and it's going to equal whatever we get back from our webserver so we're going to do HTTP GET now if I was doing a post request with the HTTP POST so it's pretty straightforward but the sense we're just hitting the main page we don't really have to worry about anything here and then we're going to get the host port and we need the Hat which I didn't declare go back up here ahead of that I'll just say half is equal to we're just going to get the root of the web server okay and then

so we've got our response back now we're going to start looking for cookies local cookie jar is equal to just n declare this cookie jar as an array which is actually a table but it turns out and then you're probably if this looks familiar for underscore comma cookie because all we're interested in are the cookies themselves in pairs pairs like said iterates over every element in an array without the index and the value assigned to that so it's just automatic iterator and then we'll do hoops the pair's

once we want the cookies now we're going to go do something

or work on our table insert it into our table called cookie jar and we'll do cookie name is equal to and we're going to go and go off the screen here a little bit so mess with this cookie name is equal to now to do string concatenation in lua a lot of other languages we do you know plus sign or something like that lua we just use two dots so just a little difference there so dot dot and then cookie name you and I want also the value of the cookie you is equal to cookies value and for now we'll just call that good I've ran off the ends and screen and our for loop and then we're going to return

our results using the standard MSE library okay PR is going to get sent back to scripting engine and we'll wrap up our script and theoretically

you you

theoretically when we run this we'll get to our values back or cookie values back so the script is going to be we're just going to use the same syntax and math - p80 script instead of hello world is going to be get - cookie you

plus in our debug flag because there's lots of opportunity for me to have screwed up yeah I got away with it yeah [Laughter] so let's clear it we'll run it again here with things simplified so I ran it against this website it's a wordpress install that mess around with so we get the PHP session ID here's its value I could also pull up path and all that other stuff that you would need to send back to the app or subsequent requests but there you go that's a we've managed to start pulling out our cookies so what are we going to do from here well we've got five minutes left so not a whole lot I'll show you what I'm looking at doing

and back over here

let's do it this way

come on

all right it's not like me please don't say let's just do it this way all right so this is pretty much legible so this is the script that I'm working on and I was hoping to have done and I didn't get it done so I'll run it just to show you what it looks like is what I have available so I've got all of my imports up here the description of this script is hey I want to provide a credentials I want to target a WordPress site and I want it to log in and tell me is WordPress up-to-date or not right and as you can imagine that's something kind of important to keep your finger on if

you're running WordPress sites the moment you're out of date we have a massive forum you know running around trying to exploit that we've got all of our output what I'm hoping to do is here's the current version release on wordpress.org and here's our installed version specifying license categories it should be safe the thing that I wanted to point out and that this is actually this line right here this took me by surprise a little bit Lua does not have regular a regular expression engine fact when I was reading the Lua documentation they said well we could put a Lua but we could do a regular expression engine but it's going to double the code base of Lua to do it and we don't want

to do that so they've got this pattern matching library that they use and so in this case I the line before I've declared a variable called WP response meaning I'm hitting wordpress.org if you might get requests this time I was interested in the download page itself so my path was slash download and then I was extracting out the version by doing a string match inside of that body for something that has a download and force and space WordPress and persand and then three after that and I putting it inside the parentheses I'm telling Lua these are the values I want you to capture and toss into this variable okay which is like our regular expressions right

whatever we're grabbing in those parentheses is what we're going to manipulate it on later okay and then it goes out and makes the request now I am working on my check here against this development site so I would be logging in with a super secret password called password this is basically the post body and the goal is I would go in there and hit the updates page match on what's there and then gives some comparison well it doesn't work quite right yeah but let's go ahead and

you it should work at least enough

right that part of the work so we've gone out sure enough we have a web server because at the script fired now it didn't do any validation to see that literally was a wordpress site right so I'll need to be fat up but it did hit wordpress.org and the current version is Ford I 7.3 now I have something to compare on and I can continue on to write my check from there so really simple my goal in this was just to you know kind of open up this you know the the NSC scripting world a little bit for everybody it's it's not as bad as it first looks you open up some of these files and you start getting kind of

intimidated by the you know what they're doing and oh my gosh on that would be able to do this it's really not that bad and I was doing some looking at the 500 plus scripts and I did some word count on all the lines in it I would say probably around 50% or more of the NSC scripts that are released as part of nmap are about 150 to 175 lines in length and that's going to include things like the description and the usage and all that other stuff so it's really not that bad we can do some useful stuff in a pretty short short amount of code you don't have to worry about managing thousands of lines of

code now there are some that I saw there were fifteen hundred some-odd lines that's way out there beyond me and will be for quite some time so I hope this was interesting to you guys any questions on what we've done yeah

them I don't know but to be honest okay I haven't hit that point I suspect though it's going to be a you tell it to do it runs and it's done I can give it a list of what's that yes and which does lead to some issues right if I'm going to specify I use of some kind of credentials do I want that in my batch history file probably not so put it in some kind of data file right and have my plugin know to look for an argument says hey your username file is here or your credential file is here you could even tie this into a semi brute force type of do right here the five or

six credentials that we use across whatever this is have fun you figure out which one was the right one and just give me the results when we've done right like I said Lua is really well-documented you go online they've got their programming in Lua book online fabulous you know that's that was my reference right I didn't have to go out and buy anything you've got about 50 percent of the nmap book online the NSE Burton section is part of that if you don't have the book it's worth getting I have it myself it's a great great reference tool you've got the NSE Doc's you're looking at some library what do I need to do with this thing what do I

need to send it what you know what they've got all of that documented here check out the existing scripts as kind of my favorite way of doing things you know let's see what else somebody else has done and obviously you can go back and look at this presentation some of the scripts here's just the github URL again sir what's that oh right here we were about that okay let me handle this and then we'll lie back okay so some of the documentation I read said in the older versions of WordPress they out put it in a meta tag so that implied to me that that was not the case anymore okay so yeah I saw at about three

different ways to get the current an assult version one of the one you're referring to said older so that I kind of shied away from it the question we had earlier actually before you head out what was your what was your question again exactly right so his question was can you make your NSE scripts interactive so that it hits a certain point it pauses way for you to put in input like username and a password right in some way and then move on and then the comment after that was well my spot no you I don't think you can I think it's going to just go and then you can put it in as part of a

command line argument you can put it into text files that it reads in and uses that instead so that's that's how you would have to get around that so does it require a little bit of forethought any other questions no well thank you everybody for coming out I hope it was useful and take a shot at it Thanks