Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Nmap: Network Exploration and Security Auditing Cookbook

You're reading from   Nmap: Network Exploration and Security Auditing Cookbook Network discovery and security scanning at your fingertips

Arrow left icon
Product type Paperback
Published in May 2017
Publisher
ISBN-13 9781786467454
Length 416 pages
Edition 2nd Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Paulino Calderon Paulino Calderon
Author Profile Icon Paulino Calderon
Paulino Calderon
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Nmap Fundamentals FREE CHAPTER 2. Network Exploration 3. Reconnaissance Tasks 4. Scanning Web Servers 5. Scanning Databases 6. Scanning Mail Servers 7. Scanning Windows Systems 8. Scanning ICS SCADA Systems 9. Optimizing Scans 10. Generating Scan Reports 11. Writing Your Own NSE Scripts 12. HTTP, HTTP Pipelining, and Web Crawling Configuration Options 13. Brute Force Password Auditing Options 14. NSE Debugging 15. Additional Output Options 16. Introduction to Lua 17. References and Additional Reading

Using NSE scripts against a target host

The Nmap project introduced a feature named Nmap Scripting Engine that allows users to extend the capabilities of Nmap via Lua scripts. NSE scripts are very powerful and have become one of Nmap's main strengths, performing tasks from advanced version detection to vulnerability exploitation. The variety of scripts available (more than 500) help users perform a wide range of tasks using the target information obtained from scans.

The following recipe describes how to run NSE scripts, and the different options available to configure its execution.

How to do it...

Enable script scan using the Nmap option -sC. This mode will select all NSE scripts belonging to the default category and execute them against our targets:

$nmap -sC <target>
$nmap -sC scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.14s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
| 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
|_ 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
25/tcp filtered smtp
80/tcp open http
|_http-title: Go ahead and ScanMe!
9929/tcp open nping-echo
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 24.42 seconds

In this case, the results included the output of the ssh-hostkey and http-title scripts. The number of scripts executed depends on the host or port rules of the scripts.

How it works...

The Nmap option  -sC enables script scan mode, which tells Nmap to select the default scripts and execute them if the host or port rule matches.

NSE scripts are divided into the following categories:

  • auth: This category is for scripts related to user authentication
  • broadcast: This is a very interesting category of scripts that use broadcast petitions to gather information
  • brute: This category is for scripts that help conduct brute-force password auditing
  • default: This category is for scripts that are executed when a script scan is executed ( -sC )
  • discovery: This category is for scripts related to host and service discovery.
  • dos: This category is for scripts related to denial of service attacks
  • exploit: This category is for scripts that exploit security vulnerabilities
  • external: This category is for scripts that depend on a third-party service
  • fuzzer: This category is for NSE scripts that are focused on fuzzing
  • intrusive: This category is for scripts that might crash something or generate a lot of network noise; scripts that system administrators may consider intrusive belong to this category
  • malware: This category is for scripts related to malware detection
  • safe: This category is for scripts that are considered safe in all situations
  • version: This category is for scripts that are used for advanced versioning
  • vuln: This category is for scripts related to security vulnerabilities

There's more...

Let's learn about some Nmap options that are required to customize the Nmap Scripting Engine. Some scripts require to be configured correctly, so it is important that we are familiar with all the Nmap Scripting Engine options.

NSE script arguments

The --script-args flag is used to set the arguments of NSE scripts. For example, if you would like to set the useragent HTTP library argument, you would use the following:

$ nmap --script http-title --script-args http.useragent="Mozilla 999" <target>  

You can also use aliases when setting the arguments for NSE scripts. For example, you have the following code:

$ nmap -p80 --script http-trace --script-args path <target>  

Instead of the preceding code, you can use the following one:

$ nmap -p80 --script http-trace --script-args http-trace.path <target>  

Script selection

Users may select specific scripts when scanning using the Nmap option --script <filename or path/folder/category/expression>:

$nmap --script <filename or path/folder/category/expression> <target>  

For example, the command to run the NSE script dns-brute is as follows:

$nmap --script dns-brute <target>  

The Nmap Scripting Engine also supports the execution of multiple scripts simultaneously:

$ nmap --script http-headers,http-title scanme.nmap.org
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.096s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
| http-headers:
| Date: Mon, 24 Oct 2011 07:12:09 GMT
| Server: Apache/2.2.14 (Ubuntu)
| Accept-Ranges: bytes
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
|
|_ (Request type: HEAD)
|_http-title: Go ahead and ScanMe!
646/tcp filtered ldp
9929/tcp open nping-echo

In addition, NSE scripts can be selected by category, expression, or folder:

  • Run all the scripts in the vuln category:
$ nmap -sV --script vuln <target>  
  • Run the scripts in the version or discovery categories:
$ nmap -sV --script="version,discovery" <target>  
  • Run all the scripts except for the ones in the exploit category:
$ nmap -sV --script "not exploit" <target>  
  • Run all HTTP scripts except http-brute and http-slowloris:
$ nmap -sV --script "(http-*) and not(http-slowloris or http-brute)" <target>  

Expressions are very handy as they allow fine-grained script selection, as shown in the preceding example.

Debugging NSE scripts

To debug NSE scripts, use --script-trace. This enables a stack trace of the executed script to help you debug the script execution. Remember that sometimes you may need to increase the debugging level with the -d[1-9] flag to get to the bottom of the problem:

$ nmap -sC --script-trace <target>
$ nmap --script http-headers --script-trace scanme.nmap.org
NSOCK INFO [18.7370s] nsock_trace_handler_callback(): Callback:
CONNECT SUCCESS for EID 8 [45.33.32.156:80]
NSE: TCP 192.168.0.5:47478 > 45.33.32.156:80 | CONNECT
NSE: TCP 192.168.0.5:47478 > 45.33.32.156:80 | 00000000:
48 45 41 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d HEAD / HTTP/1.1
00000010: 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f
Connection: clo
00000020: 73 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 se
User- Agent:
00000030: 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d
Mozilla/5.0 (com
00000040: 70 61 74 69 62 6c 65 3b 20 4e 6d 61 70 20 53 63 patible;
Nmap Sc
00000050: 72 69 70 74 69 6e 67 20 45 6e 67 69 6e 65 3b 20 ripting
Engine;
00000060: 68 74 74 70 73 3a 2f 2f 6e 6d 61 70 2e 6f 72 67
https://nmap.org
00000070: 2f 62 6f 6f 6b 2f 6e 73 65 2e 68 74 6d 6c 29 0d
/book/nse.html)
00000080: 0a 48 6f 73 74 3a 20 73 63 61 6e 6d 65 2e 6e 6d Host:
scanme.nm
00000090: 61 70 2e 6f 72 67 0d 0a 0d 0a ap.org
[Output removed to save space]Nmap scan report for scanme.nmap.org
(45.33.32.156)
Host is up (0.14s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
| http-headers:
| Date: Sun, 24 Apr 2016 19:52:13 GMT
| Server: Apache/2.4.7 (Ubuntu)
| Accept-Ranges: bytes
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
|
|_ (Request type: HEAD)
9929/tcp open nping-echo
31337/tcp open Elite

Nmap done: 1 IP address (1 host up) scanned in 18.89 seconds

Adding new scripts

There will be occasions where you will want to try scripts not included officially with Nmap. To test new scripts, you simply need to copy them to your /scripts inside your Nmap directory and run the following command to update the script database:

# nmap --script-updatedb  

After updating the script database, you simply need to select them, as you would normally do with the --script option. In addition, you may execute scripts without including them in the database by setting a relative or absolute script path as the argument:

# nmap --script /root/loot/nonofficial.nse <target>  

The https://secwiki.org/w/Nmap/External_Script_Library Wiki page attempts to keep track of all scripts that for different reasons could not get included officially with Nmap. I recommend you visit it as there are some great scripts in there.

You have been reading a chapter from
Nmap: Network Exploration and Security Auditing Cookbook - Second Edition
Published in: May 2017
Publisher:
ISBN-13: 9781786467454
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image