Book Image

Mastering the Nmap Scripting Engine

By : Paulino Calderon
Book Image

Mastering the Nmap Scripting Engine

By: Paulino Calderon

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Mastering the Nmap Scripting Engine
Paulino Calderon
Feb, 2015 | 244 pages
No titles found
Table of Contents (23 chapters)
Mastering the Nmap Scripting Engine
Mastering the Nmap Scripting Engine
Credits
Credits
About the Author
About the Author
Acknowledgments
Acknowledgments
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Introduction to the Nmap Scripting Engine
Introduction to the Nmap Scripting Engine
Installing Nmap
Running NSE scripts
Script categories
Scan phases and NSE
Applications of NSE scripts
Setting up a development environment
Adding new scripts
Summary
2
Lua Fundamentals
Lua Fundamentals
Quick notes about Lua
Flow control structures
Data types
String handling
Common data structures
I/O operations
Coroutines
Metatables and metamethods
Summary
3
NSE Data Files
NSE Data Files
Locating your data directory
Data directory search order
Username and password lists used in brute-force attacks
Web application auditing data files
DBMS-auditing data files
Java Debug Wire Protocol data files
Other NSE data files
Other Nmap data files
Summary
4
Exploring the Nmap Scripting Engine API and Libraries
Exploring the Nmap Scripting Engine API and Libraries
Understanding the structure of an NSE script
Exploring environment variables
Accessing the Nmap API
The NSE registry
Writing NSE libraries
Exploring other popular NSE libraries
Summary
5
Enhancing Version Detection
Enhancing Version Detection
Understanding version detection mode in NSE
Writing your own version detection scripts
Examples of version detection scripts
Summary
6
Developing Brute-force Password-auditing Scripts
Developing Brute-force Password-auditing Scripts
Working with the brute NSE library
Reading usernames and password lists with the unpwdb NSE library
Managing user credentials found during scans
Writing an NSE script to launch password-auditing attacks against the MikroTik RouterOS API
Summary
7
Formatting the Script Output
Formatting the Script Output
Output formats and Nmap Scripting Engine
XML structured output
Printing verbosity messages
Including debugging information
The weakness of the grepable format
NSE script output in the HTML report
Summary
8
Working with Network Sockets and Binary Data
Working with Network Sockets and Binary Data
Working with NSE sockets
Understanding advanced network I/O
Manipulating raw packets
Raw packet handling and NSE sockets
Summary
9
Parallelism
Parallelism
Parallelism options in Nmap
Parallelism mechanisms in Lua
Parallelism mechanisms in NSE
Consuming TCP connections with NSE
Summary
10
Vulnerability Detection and Exploitation
Vulnerability Detection and Exploitation
Vulnerability scanning
Reporting vulnerabilities
Summary
Scan Phases
Scan Phases
NSE Script Template
NSE Script Template
Other templates online
Script Categories
Script Categories
Nmap Options Mind Map
Nmap Options Mind Map
References
References
Index
Index

Running NSE scripts

NSE was designed with flexibility in mind, and supports several features to control the execution of NSE scripts. In this chapter, we will learn not only that NSE scripts can be executed during different scan phases but also that they can be selected with a high level of granularity, depending on host conditions. In combination with robust libraries and plenty of configuration options, NSE offers a level of flexibility that is hard to match in other tools and frameworks.

We can begin testing NSE against the host, scanme.nmap.org. This server is managed by the Nmap project and allows users to scan it as long as the scans are not too intrusive. Let's begin by running a scan with version detection and NSE enabled against our test target—scanme.nmap.org:

#nmap –sV –sC -O scanme.nmap.org

You should see something similar to this:

The previous command ran a SYN scan with OS detection (-O), service detection (-sV), and most importantly with NSE on (-sC). The -sC option enables the NSE and runs any script in the default category. This set of scripts is considered safe as it won't perform any operations that could interfere with a service running on the target host. However, note that some of the scripts perform actions that can raise alarms in intrusion detection systems (IDS) and intrusion prevention systems (IPS).

Note

An unprivileged scan can't access raw sockets, which generally results in a slower scan. However, the SYN scan is the default type of scan executed when Nmap runs in privileged mode.

The safe category contains scripts such as these:

  • banner: This prints the response of a TCP connection to an open port

  • broadcast-ping: This discovers hosts with broadcast pings

  • dns-recursion: This detects DNS servers that allow recursion that may be used in DNS amplification attacks

  • upnp-info: This extracts information from the upnp service

  • firewalk: This attempts to discover firewalls using an IP TTL expiration technique

The previously mentioned scripts are only a few compared to the current total of almost 500. That's a whole lot more of information that can be collected by simply using NSE.

Previous Section
End of Section 3
Next Section