Tutorial: How to Use the Nmap Scripting Engine

September 8, 2015 | Views: 4578

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Nmap is probably the most known and capable network scanner available today. It has a ton of features, it’s open source and free to use. So, what’s not to like about it?

One of the features is the NSE, the Nmap scripting engine, which extends Nmap’s functionality as a scanner. With the use of NSE, you can not only scan, but also do additional checks. There are a number of publicly available Nmap scripts, which come bundled with Nmap. In Kali Linux, these scripts are located under the /usr/share/nmap/scripts directory.

Some of these scripts are so called ‘default’ scripts, which can be run automatically with a Nmap scan by simply using the -sC flag with your scan. For example, if you wish to scan the network 192.168.1.0/24 for FTP servers and run the default Nmap scripts, you can do this by running:

root@kali:~# nmap -sC -p 21 192.168.1.0/24

 

The output on my home network gives me one valid response and looks like this:

Nmap scan report for 192.168.1.15

Host is up (-0.050s latency).

PORT   STATE SERVICE

21/tcp open  ftp

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_.

|_ftp-bounce: bounce working!

MAC Address: 2C:33:7A:2B:96:91 (Hon Hai Precision Ind. Co.)

 

As you can see, we get additional information about this host than just that port 21 is open. Because we used the -sC flag, the default scripts, which matched the FTP service, were also run and provided additional details. Now, we know that the FTP server allows anonymous login and that bounce is working.

To learn which scripts that are used when using the -sC flag, you can look at the following URL: https://nmap.org/nsedoc/categories/default.html

The whole list of Nmap scripts is available at this URL: https://nmap.org/nsedoc/index.html

There is no exact criteria for a script being labeled as a default script, but the lighter, faster and less intrusive the script is, the better chance for it to be included as a default script.

 

If I run a scan against my home router with -sC flag, I get the following output:

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-05 11:10 CEST

Nmap scan report for homerouter.cpe (192.168.1.1)

Host is up (0.0027s latency).

Not shown: 992 closed ports

PORT     STATE    SERVICE

22/tcp   open     ssh

23/tcp   filtered telnet

53/tcp   open     domain

| dns-nsid:

|_  bind.version: 10.0.0

80/tcp   open     http

|_http-title: Site doesn’t have a title (text/html).

443/tcp  open     https

| http-cisco-anyconnect:

|_  ERROR: Not a Cisco ASA or unsupported version

|_http-title: Site doesn’t have a title (text/html).

| ssl-cert: Subject: commonName=LTE CPE B593 Certificate/organizationName=Huawei/countryName=CN

| Not valid before: 2012-07-27T06:28:50

|_Not valid after:  2027-07-24T06:28:50

631/tcp  filtered ipp

3000/tcp open     ppp

8081/tcp filtered blackice-icecap

MAC Address: 08:63:61:8E:8F:4E (Huawei Technologies Co.)

 

Here, we can see that the Nmap scripts check the version of BIND, try to fetch the title of the webserver and also check the certificates. They also check whether there’s a Cisco ASA or not.

You can learn a bit more about your targets when using the -sC flag, but also remember that this leaves traces on another level. If you query the FTP or HTTP server by running Nmap scripts, the target will also log those requests in their respective logfiles.

Since not all scripts are run by default, having knowledge about your target helps a great deal. For instance, let’s say you’re targeting a web server and you know that it’s responding to both HTTP and HTTPS requests, you can try to find Nmap scripts that will check for certain additional vulnerabilities or even try to brute force login credentials.

Let’s look at another example where I try to determine if a web server is vulnerable to the famous Poodle vulnerability.

root@kali:~# nmap -p 443 –script ssl-poodle 192.168.1.1

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-05 11:49 CEST

Nmap scan report for homerouter.cpe (192.168.1.1)

Host is up (0.0033s latency).

PORT    STATE SERVICE

443/tcp open  https

| ssl-poodle:

|   VULNERABLE:

|   SSL POODLE information leak

|     State: VULNERABLE

|     IDs:  OSVDB:113251  CVE:CVE-2014-3566

|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and

|           other products, uses nondeterministic CBC padding, which makes it easier

|           for man-in-the-middle attackers to obtain cleartext data via a

|           padding-oracle attack, aka the “POODLE” issue.

|     Disclosure date: 2014-10-14

|     Check results:

|       TLS_RSA_WITH_AES_128_CBC_SHA

|     References:

|       https://www.imperialviolet.org/2014/10/14/poodle.html

|       https://www.openssl.org/~bodo/ssl-poodle.pdf

|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

|_      http://osvdb.org/113251

MAC Address: 08:63:61:8E:8F:4E (Huawei Technologies Co.)

Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

 

Nmap verifies that the target is indeed vulnerable.

One type of scripts available with Nmap is brute scripts. These are scripts that try to use brute force to login into different services. Below, I show an example of using a brute force attack against the local MySQL server on my Kali Linux machine.

root@kali:~# nmap -p 3306 –script mysql-brute 127.0.0.1

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-06 18:02 CEST

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000053s latency).

PORT     STATE SERVICE

3306/tcp open  mysql

| mysql-brute:

|   Accounts:

|     root:<empty> – Valid credentials

|_  Statistics: Performed 45010 guesses in 9 seconds, average tps: 5001

Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds

 

Nmap scripts add a lot of interesting features to the Nmap scanner, and if you’re into programming, you can develop your own scripts. Use some caution with Nmap scripts, as some of the scripts are very intrusive and a few of them can cause a denial of service.

Happy scanning with Nmap.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
2 Comments
  1. Nmap is on my radar to get using and polish up on. Thanks for the info.

  2. The hint “-script” is very interesting solution. !!!

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel