The collection of NSE scripts is divided into the following categories:
Nmap supports the --script
option for script selection. This option can take a script name, NSE category, a path to a NSE file, a folder containing scripts, or even an expression. Expressions allow incredible flexibility when selecting scripts, as we will see in the following sections.
You can execute scripts by their name using the --script
Nmap option. Execute several scripts at once by separating them with a comma:
nmap --script http-title <target> nmap -p80 --script http-huawei-hg5xx-vuln <target> nmap --script http-title,http-methods <target>
The following screenshot shows the output of the http-huawei-hg5xx-vuln
script. This script exploits a remote vulnerability in Huawei devices to retrieve sensitive information, which includes the PPPoE credentials and the wireless security configuration:
PORT STATE SERVICE VERSION 80/tcp open http Huawei aDSL modem EchoLife HG530 (V100R001B122gTelmex) 4.07 -- UPnP/1.0 (ZyXEL ZyWALL 2) | http-huawei-hg5xx-vuln: | VULNERABLE: | Remote credential and information disclosure in modems Huawei HG5XX | State: VULNERABLE (Exploitable) | Description: | Modems Huawei 530x, 520x and possibly others are vulnerable to remote credential and information disclosure. | Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information | including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values | Disclosure date: 2011-01-1 | Extra information: | | Model:EchoLife HG530 | Firmware version:V100R001B122gTelmex | External IP:xxx.xxx.xx.xxx | Gateway IP:xxx.xx.xxx.xxx | DNS 1:200.33.146.249 | DNS 2:200.33.146.241 | Network segment:192.168.1.0 | Active ethernet connections:0 | Active wireless connections:3 | BSSID:0xdeadbeefcafe | Wireless Encryption (Boolean):1 | PPPoE username:xxx | PPPoE password:xxx | References: | http://routerpwn.com/#huawei |_ http://websec.ca/advisories/view/Huawei-HG520c-3.10.18.x-information-disclosure
To select a whole category, simply use the name of the category (see the Script categories section) as the argument. For example, to run the exploit
category, use the following command:
nmap --script exploit <target>
You can also run several categories by separating them with a comma:
nmap --script discovery,intrusive <target>
To execute a NSE script file, use this command:
nmap --script /path/to/script.nse <target>
Similarly with categories, you can execute several scripts by separating the paths with a comma:
nmap --script /path/to/script.nse,/another/path/script2.nse <target>
To execute all the scripts contained in a folder, you only need to pass the folder name as an argument:
nmap --script /path/to/folder/ <target> nmap --script /custom-nse-scripts/ scanme.nmap.org
Tip
Keep in mind that the --script
option accepts relative and absolute paths to scripts and folders. Besides the current directory, relative paths can be looked for in the following directories:
--datadir
$NMAPDIR
~/.nmap
%HOMEPATH%\AppData\Roaming\nmap
The directory containing
nmap
The directory containing
nmap
followed by this relative path:../share/nmap
NMAPDATADIR
Expressions are used to describe a set of scripts. Let's go through the different scenarios where we can take advantage of script selection with expressions:
For example, the
not exploit
expression will match any script that does not belong to theexploit
category:#nmap -sV --script "not exploit" <target>
The
or
andand
operators allow us to construct more complex expressions. The following expression will match any script that is not in theintrusive
,dos
, orexploit
categories:#nmap --script "not(intrusive or dos or exploit)" -sV <target>
If we would like to execute all scripts in the
broadcast
anddiscovery
categories, we use this:#nmap --script "broadcast and discovery" <<target>
If you are selecting scripts, you can also use the wildcard character,
*
:#nmap --script "snmp-*" <target>
Of course, we can combine wildcards and expressions. For example, let's run all the scripts whose names begin with
http-
, but exclude thehttp-slowloris
,http-brute
,http-form-fuzzer
, andhttp-enum
scripts:#nmap --script "http-* and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" <target>
We can also combine wildcard selection with expressions when selecting categories. The next command executes all scripts whose names begin with
http-
that are not listed in theexploit
category:#nmap --script "http-* and not(exploit)" <target>
The --script-args
Nmap option is used to set arguments in NSE scripts. For example, if you would like to set the http
library argument, useragent
, You can use this expression:
$nmap -sV --script http-title --script-args http.useragent="Mozilla 1337" <target>
Not a lot of Nmap users know this but you can also omit the script name when setting arguments:
$nmap -p80 --script http-trace --script-args path <target>
You can use the preceding expression instead of using this:
$nmap -p80 --script http-trace --script-args http-trace.path <target>
If you are working with scripts that share argument names, you must avoid name conflicts manually:
$nmap --script http-majordomo2-dir-traversal,http-axis2-dir-traversal --script-args http-axis2-dir-traversal.uri=/axis2/,uri=/majordomo/ <target> $nmap --script http-majordomo2-dir-traversal,http-axis2-dir-traversal --script-args uri=/axis2/,http-majordomo2-dir-traversal.uri=/majordomo/ <target> $nmap --script http-majordomo2-dir-traversal,http-axis2-dir-traversal --script-args http-axis2-dir-traversal.uri=/axis2/,http-majordomo2-dir-traversal.uri=/majordomo/ <target>
Note
The alias in script arguments will only work if the NSE script uses the stdnse.get_script_args()
function to load the arguments (refer to Chapter 4, Exploring the Nmap Scripting Engine API and Libraries). You are encouraged to always use this function, but there are a few scripts that were submitted before the function was introduced.
If you are planning to run several scans, it is probably a good idea to write down your script arguments in a file to save some typing. NSE supports loading NSE arguments from an absolute or relative path with the --script-args-file
option. The arguments contained in the file must be separated by commas or new lines:
nmap --script "discovery,broadcast" --script-args-file nmap-args.txt <target>
The contents of the nmap-args.txt
file are as follows:
http.useragent=Not Nmap http.max-connections=50 userdb=/path/to/usernames.lst passdb=/path/to/dictionary.lst
Nmap can force the execution of a NSE script by prepending +
to the script name:
$nmap --script +<script selection> <<arg1, arg2, …>
Let's say we want to force the execution of the http-title
NSE script against the service running on port 1212
:
$nmap --script +http-title -p1212 192.168.1.210
Without the +
sign, the script will not run but, since we added it, the report comes back with the following:
Nmap scan report for 192.168.1.210 Host is up (0.00026s latency). PORT STATE SERVICE 1212/tcp open lupa |_http-title: W00t!
If you need to analyze the traffic sent and received by NSE, use the --script-trace
option. For example, if you would like to see the payloads sent by the NSE scripts in the exploit
category, you can use this expression:
#nmap --script exploit --script-trace <target>
You can also turn on the debugging mode of Nmap with the -d[1-9]
flag. This flag can be followed by an integer that denotes the debugging level and should be between 1 and 9. The higher the level, the more verbose is the output:
#nmap -sV –-script exploit -d3 <target>
The --packet-trace
option includes all the packets sent and received, not only the traffic generated by NSE:
#nmap -O --script myscript.nse --packet-trace <target>