Tutorial: How to Use the Nmap Scripting Engine

Nmap is probably the most known and capable network scanner available today. It has a ton of features, it's open source and free to use. So, what's not to like about it?

One of the features is the NSE, the Nmap scripting engine, which extends Nmap's functionality as a scanner. With the use of NSE, you can not only scan, but also do additional checks. There are a number of publicly available Nmap scripts, which come bundled with Nmap. In Kali Linux, these scripts are located under the /usr/share/nmap/scripts directory.Some of these scripts are so called 'default' scripts, which can be run automatically with a Nmap scan by simply using the -sC flag with your scan. For example, if you wish to scan the network 192.168.1.0/24 for FTP servers and run the default Nmap scripts, you can do this by running:

root@kali:~# nmap -sC -p 21 192.168.1.0/24

 The output on my home network gives me one valid response and looks like this:

Nmap scan report for 192.168.1.15

Host is up (-0.050s latency).

PORT   STATE SERVICE

21/tcp open  ftp

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_.

|_ftp-bounce: bounce working!

MAC Address: 2C:33:7A:2B:96:91 (Hon Hai Precision Ind. Co.)

 As you can see, we get additional information about this host than just that port 21 is open. Because we used the -sC flag, the default scripts, which matched the FTP service, were also run and provided additional details. Now, we know that the FTP server allows anonymous login and that bounce is working.To learn which scripts that are used when using the -sC flag, you can look at the following URL: https://nmap.org/nsedoc/categories/default.htmlThe whole list of Nmap scripts is available at this URL: https://nmap.org/nsedoc/index.htmlThere is no exact criteria for a script being labeled as a default script, but the lighter, faster and less intrusive the script is, the better chance for it to be included as a default script. If I run a scan against my home router with -sC flag, I get the following output:

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-05 11:10 CEST

Nmap scan report for homerouter.cpe (192.168.1.1)

Host is up (0.0027s latency).

Not shown: 992 closed ports

PORT     STATE    SERVICE

22/tcp   open     ssh

23/tcp   filtered telnet

53/tcp   open     domain

| dns-nsid:

|_  bind.version: 10.0.0

80/tcp   open     http

|_http-title: Site doesn't have a title (text/html).

443/tcp  open     https

| http-cisco-anyconnect:

|_  ERROR: Not a Cisco ASA or unsupported version

|_http-title: Site doesn't have a title (text/html).

| ssl-cert: Subject: commonName=LTE CPE B593 Certificate/organizationName=Huawei/countryName=CN

| Not valid before: 2012-07-27T06:28:50

|_Not valid after:  2027-07-24T06:28:50

631/tcp  filtered ipp

3000/tcp open     ppp

8081/tcp filtered blackice-icecap

MAC Address: 08:63:61:8E:8F:4E (Huawei Technologies Co.)

 Here, we can see that the Nmap scripts check the version of BIND, try to fetch the title of the webserver and also check the certificates. They also check whether there's a Cisco ASA or not.You can learn a bit more about your targets when using the -sC flag, but also remember that this leaves traces on another level. If you query the FTP or HTTP server by running Nmap scripts, the target will also log those requests in their respective logfiles.Since not all scripts are run by default, having knowledge about your target helps a great deal. For instance, let's say you're targeting a web server and you know that it's responding to both HTTP and HTTPS requests, you can try to find Nmap scripts that will check for certain additional vulnerabilities or even try to brute force login credentials.Let's look at another example where I try to determine if a web server is vulnerable to the famous Poodle vulnerability.

root@kali:~# nmap -p 443 --script ssl-poodle 192.168.1.1

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-05 11:49 CEST

Nmap scan report for homerouter.cpe (192.168.1.1)

Host is up (0.0033s latency).

PORT    STATE SERVICE

443/tcp open  https

| ssl-poodle:

|   VULNERABLE:

|   SSL POODLE information leak

|     State: VULNERABLE

|     IDs:  OSVDB:113251  CVE:CVE-2014-3566

|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and

|           other products, uses nondeterministic CBC padding, which makes it easier

|           for man-in-the-middle attackers to obtain cleartext data via a

|           padding-oracle attack, aka the "POODLE" issue.

|     Disclosure date: 2014-10-14

|     Check results:

|       TLS_RSA_WITH_AES_128_CBC_SHA

|     References:

|       https://www.imperialviolet.org/2014/10/14/poodle.html

|       https://www.openssl.org/~bodo/ssl-poodle.pdf

|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

|_      https://osvdb.org/113251

MAC Address: 08:63:61:8E:8F:4E (Huawei Technologies Co.)

Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

 Nmap verifies that the target is indeed vulnerable.One type of scripts available with Nmap is brute scripts. These are scripts that try to use brute force to login into different services. Below, I show an example of using a brute force attack against the local MySQL server on my Kali Linux machine.

root@kali:~# nmap -p 3306 --script mysql-brute 127.0.0.1

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-06 18:02 CEST

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000053s latency).

PORT     STATE SERVICE

3306/tcp open  mysql

| mysql-brute:

|   Accounts:

|     root:<empty> - Valid credentials

|_  Statistics: Performed 45010 guesses in 9 seconds, average tps: 5001

Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds

 Nmap scripts add a lot of interesting features to the Nmap scanner, and if you're into programming, you can develop your own scripts. Use some caution with Nmap scripts, as some of the scripts are very intrusive and a few of them can cause a denial of service.Happy scanning with Nmap.