Updated output for scripts

(sorry if this comes twice, one of my SMTP servers seems to have stopped
relaying)

Hey guys,

I started working on this last night and just finished. Basically, I
cleaned up and updated the output of every script I've touched. The
current version is in
svn://svn.insecure.org/nmap-exp/ron/nmap-smb

I wrote a function in stdnse.lua called format_output(). It basically
takes a table and converts it to a human-readable string. The (HUGE)
advantage to using this is that everything is formatted basically the
same. Previously, among my own scripts, all of which were written by me,
there were all kinds of different indenting methods. Now, everything
looks the same.

I'm hoping everybody starts using this when they're writing scripts with
multi-line output.

Here is how it looks:
|  smb-check-vulns:
|  |  MS08-067: NOT VULNERABLE
|  |  Conficker: Likely CLEAN
|  |  regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|_ |_ SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add
'--script-args=unsafe=1' to run)

|  smb-enum-users:
|  |  WINDOWS2003\Administrator (RID: 500)
|  |  |  Description: Built-in account for administering the computer/domain
|  |  |_ Flags:       Password does not expire, Normal user account
|  |  WINDOWS2003\ASPNET (RID: 1008)
|  |  |  Full name:   ASP.NET Machine Account
|  |  |  Description: Account used for running the ASP.NET worker
process (aspnet_wp.exe)
|  |  |_ Flags:       Password not required, Password does not expire,
Normal user account
|  |  WINDOWS2003\Guest (RID: 501)
|  |  |  Description: Built-in account for guest access to the
computer/domain
|  |  |_ Flags:       Password not required, Password does not expire,
Account disabled, Normal user account

|  smb-system-info:
|  |  OS Details
|  |  |  Microsoft Windows Server 2003 Service Pack 2 (ServerNT 5.2
build 3790)
|  |  |  Installed on 2009-10-17 20:14:19
|  |  |  Registered to Ron (organization: MJ-12)
|  |  |  Path: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
|  |  |  Systemroot: C:\WINDOWS
|  |  |_ Page files: C:\pagefile.sys 384 768 (cleared at shutdown => 0)
|  |  Hardware
|  |  |  CPU 0: Intel(R) Core(TM)2 Duo CPU T7500@ 2.20GHz [2194mhz
GenuineIntel]
|  |  |  |_ Identifier 0: x86 Family 6 Model 15 Stepping 11
|  |  |_ Video driver: VMware SVGA II
|  |  Browsers
|  |  |  Internet Explorer 8.0000
|_ |_ |_ Firefox 3.5.4 (en-US)


|  smb-server-stats:
|  |  Server statistics collected since 2009-11-05 08:08:27 (4d11h48m24s):
|  |  |  1388558 bytes (3.58 b/s) sent, 2156012 bytes (5.56 b/s) received
|_ |_ |_ 8772 failed logins, 0 permission errors, 0 system errors, 0
print jobs, 276 files opened


|  smb-enum-domains:
|  |  WINDOWS2003
|  |  |  SID: S-1-5-21-4146152237-3614947961-1862238888
|  |  |  Users: Administrator, ASPNET, Guest, IUSR_WINDOWS2003,
IWAM_WINDOWS2003, ron, SUPPORT_388945a0, test
|  |  |  Creation time: 2009-10-17 12:46:43
|  |  |  Passwords: min length: n/a; min age: n/a; max age: 42 days;
history: n/a
|  |  |_ Account lockout disabled
|  |  Builtin
|  |  |  SID: S-1-5-32
|  |  |  Users: n/a
|  |  |  Creation time: 2009-10-17 12:46:43
|  |  |  Passwords: min length: n/a; min age: n/a; max age: 42 days;
history: n/a
|_ |_ |_ Account lockout disabled


I think they look a lot nicer now.

Any thoughts?

If not, I'll merge this back into the trunk.

Thanks!
Ron

--
Ron Bowes
http://www.skullsecurity.org/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Hi Ron,

On Tue, Nov 10, 2009 at 10:22 AM, Ron <ron@...> wrote:
> I think they look a lot nicer now.
>
> Any thoughts?

My first impressions are that it does indeed look nice but what did it
look like before? Also, the format_output function needs NSEDoc.


--
-Patrick Donnelly

"Let all men know thee, but no man know thee thoroughly: Men freely
ford that see the shallows."

- Benjamin Franklin
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

On Tue, Nov 10, 2009 at 9:22 AM, Ron <? wrote:

Gmail wrapped it so it looks sort of strange, but I'm sure it looks
fine in the real world.

My question is how are you sending the data to the function?

Can you post a lua snippet?

I'm on a CDMA connection and don't want to update my svn at this speed.

-Jason
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Patrick Donnelly wrote:
> My first impressions are that it does indeed look nice but what did it
> look like before? Also, the format_output function needs NSEDoc.

It looked, on average, the same. But the indents were often a mix
between " ", "  ", "|  ", etc.

Also, multi-field outputs often looked like:
|  Heading
|  |_ Field1
|  |_ Field2
|_ |_ Field3

Or
|  Heading
|   Field1
|   Field2
|_  Field3

Or (this is what I'm using for everything now):
|  Heading
|  |  Field1
|  |  Field2
|_ |_ Field3

The primary improvement is consistency -- instead of every script
defining its own style, the library does.

Ron
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

DePriest, Jason R. wrote:
Yeah, they shouldn't be wrapped. :)

Here is probably the simplest example:

    table.insert(response, string.format("OS: %s (%s)",
get_windows_version(result['os']), result['lanmanager']))
    table.insert(response, string.format("Name: %s\\%s",
result['domain'], result['server']))
    table.insert(response, string.format("System time: %s %s",
result['date'], result['timezone_str']))
    return stdnse.format_output(true, response)

Sorry for what will probably end up being bad wrapping again.

Note the first parameter to format_output() -- if you set it to 'false',
if debugging() is turned on it'll prefix each line with ERROR:. If
debugging is turned off, it won't output anything. That's based on a
request I had a lonnnng time ago, where errors don't display unless
debugging is enabled.

Ron

--
Ron Bowes
http://www.skullsecurity.org/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

On Tue, Nov 10, 2009 at 09:22:17AM -0600, Ron wrote:
>
> I wrote a function in stdnse.lua called format_output(). It basically
> takes a table and converts it to a human-readable string. The (HUGE)
> advantage to using this is that everything is formatted basically the
> same. Previously, among my own scripts, all of which were written by me,
> there were all kinds of different indenting methods. Now, everything
> looks the same.

Thanks Ron, I agree that consistency is important!  Also, I have one
minor comment regarding the format:

> |  smb-enum-users:
> |  |  WINDOWS2003\Administrator (RID: 500)
> |  |  |  Description: Built-in account for administering the computer/domain
> |  |  |_ Flags:       Password does not expire, Normal user account
> |  |  WINDOWS2003\ASPNET (RID: 1008)
> |  |  |  Full name:   ASP.NET Machine Account
> |  |  |  Description: Account used for running the ASP.NET worker process (aspnet_wp.exe)
> |  |  |_ Flags:       Password not required, Password does not expire, Normal user account

Perhaps this amount of initial whitespace is excessive, particularly
when you get several levels deep.  Maybe this would be better?

> | smb-enum-users:
> | | WINDOWS2003\Administrator (RID: 500)
> | | | Description: Built-in account for administering the computer/domain
> | | |_Flags:       Password does not expire, Normal user account
> | | WINDOWS2003\ASPNET (RID: 1008)
> | | | Full name:   ASP.NET Machine Account
> | | | Description: Account used for running the ASP.NET worker process (aspnet_wp.exe)
> | | |_Flags:       Password not required, Password does not expire, Normal user account

Or perhaps it would be even better with the "|" replaced by a space
for levels 2 and greater:

> | smb-enum-users:
> |   WINDOWS2003\Administrator (RID: 500)
> |     Description: Built-in account for administering the computer/domain
> |     Flags:       Password does not expire, Normal user account
> |   WINDOWS2003\ASPNET (RID: 1008)
> |     Full name:   ASP.NET Machine Account
> |     Description: Account used for running the ASP.NET worker process (aspnet_wp.exe)
> |     Flags:       Password not required, Password does not expire, Normal user account

Personally, I think I like this last one (#3) best.

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/10/2009 08:03 PM, Fyodor wrote:
My only problem with this is that certain things don't handle whitespace like
we like so any copy/paste or whatever could ruin any indentation.  Having the
pipes helps to alleviate this.  Users are stuck with this style of output for
now, so we should make sure they can use it as much as possible.

And this, of course, is the main reason I dislike Python.  I prefer Ruby
regardless of this, but I'd hate having to worry about whitespace for
something as crucial as code block delimiters.  I recall talking with David
about this at DEFCON... but I'll try to stop my recursive tangents for now :)

> Cheers,
> -F

Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJK+jTKAAoJEEQxgFs5kUfunxAQAJWMslGlAZOReAGbvUEj4T5X
3dc3UqJD/6EEmTf9T9GlKFFJqWTKcGbFYFR4ZwgTJ9Eexq6xzeMg/00Q7ZjnQ0WA
JrjVhx6JsGjD7OlJ5IWykjxh4NdDDDk+jEUUOl2tgC1y+vGqHof2wo2tGDVCWx84
6Mc473GZh0cmW/Beo7OA04KoPMGyGRx/LwklnQ04vFRpQ1Z+FteYjtcf7Io09zVM
AFbeiEbxnR+6vP+538tle2VmAvgi8ID2rKgN/7xA6RyCZbfE3aeZcFvXFtnIp7Ek
aVASrCMHaJbKh+S9iBiKqwKpEl3EOvu+d8iAuiRx+S9qRiItDuc+FPW+Y6pkCS0p
KNr5GPuhl06l5UC2owngf6k6IBU/BcaqhzLomhKqegoXzgWm5aBHP0WIBuL6xi06
4WB+eS7WMFzeKIPngrFwMepgK9QNGVEfb4i2CxWeDEvGQAWY7K7qlO1rXc8XUv2K
ZVH8KiJLeFPFyfnAy15HY5K9jfBJifEOUwAZw0incdjVQA2Mclf2mSvEM31cvgnf
svNNH4FFT6j5NzXjIuBMsgvQMS2WdHvlEyDXZAS8WxMWF0MEwtAN5dluVdsbbfAS
JcBYIovvpevnTGdL4Ahkqj9oHNjVCIKj4oaYVFv3am9Ff7dwSUwZBoh64tExK0eb
rHHhPCAT8YjYefHowJkL
=NcJL
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Fyodor wrote: Hmm, the reason I went with two spaces is because NSE adds two spaces
after the first pipe. I'm cool with either way, though.
Hmm, I can easily make that change, and it'll change every script
automatically, but I'm not sure I like it. I sort of like how the pipes
group everything together. Without them, I also think multiple scripts'
outputs will be difficult to tell apart.

I'm ok either way, though. :)

>
> Cheers,
> -F
Ron


--
Ron Bowes
http://www.skullsecurity.org/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

On Tue, Nov 10, 2009 at 11:14:02PM -0600, Ron wrote:
Yeah, I think that if the extra space is removed from format_output,
it should also be removed from the first level of indentation (printed
by NSE).

Here is an example with and without the "extra" space for single line
output:

80/tcp    open   http    Apache httpd 2.2.3 ((Red Hat))
|_ html-title: Go ahead and ScanMe!

80/tcp    open   http    Apache httpd 2.2.3 ((Red Hat))
|_html-title: Go ahead and ScanMe!


> Hmm, I can easily make that change, and it'll change every script
> automatically, but I'm not sure I like it. I sort of like how the pipes
> group everything together. Without them, I also think multiple scripts'
> outputs will be difficult to tell apart.

I'm not opposed to keeping the pipes.  Kris seems to like them too.
Maybe we should kill the "extra" space, but keep the pipes rather than
change them to spaces.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Fyodor wrote:
> I'm not opposed to keeping the pipes.  Kris seems to like them too.
> Maybe we should kill the "extra" space, but keep the pipes rather than
> change them to spaces.
>
> Cheers,
> -F
>

Sounds good to me!

Ron

--
Ron Bowes
http://www.skullsecurity.org/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/