Book Image

Nmap 6: Network Exploration and Security Auditing Cookbook

Book Image

Nmap 6: Network Exploration and Security Auditing Cookbook

Overview of this book

Nmap is a well known security tool used by penetration testers and system administrators. The Nmap Scripting Engine (NSE) has added the possibility to perform additional tasks using the collected host information. Tasks like advanced fingerprinting and service discovery, information gathering, and detection of security vulnerabilities."Nmap 6: Network exploration and security auditing cookbook" will help you master Nmap and its scripting engine. You will learn how to use this tool to do a wide variety of practical tasks for pentesting and network monitoring. Finally, after harvesting the power of NSE, you will also learn how to write your own NSE scripts."Nmap 6: Network exploration and security auditing cookbook" is a book full of practical knowledge for every security consultant, administrator or enthusiast looking to master Nmap. The book overviews the most important port scanning and host discovery techniques supported by Nmap. You will learn how to detect mis-configurations in web, mail and database servers and also how to implement your own monitoring system. The book also covers tasks for reporting, scanning numerous hosts, vulnerability detection and exploitation, and its strongest aspect; information gathering.
Table of Contents (18 chapters)
Nmap 6: Network Exploration and Security Auditing Cookbook
Credits
About the Author
Acknowledgement
About the Reviewers
www.PacktPub.com
Preface
References
Index

Running NSE scripts


NSE scripts are very powerful and have become one of Nmap's main strengths, performing tasks from advanced version detection to vulnerability exploitation.

The following recipe describes how to run NSE scripts, and the different options available for this engine.

How to do it...

To include the title of the index document of a web server in your scan results, open your terminal and type the following command:

$ nmap -sV --script http-title scanme.nmap.org 

How it works...

The argument --script sets which NSE scripts should be run with the scan. In this case, when the service scan detects the web server, a parallel thread is initialized for the selected NSE script.

There are more than 230 scripts available, which perform a wide variety of tasks. The NSE script http-title returns the title of the root document if a web server is detected.

There's more...

You can run multiple scripts at once:

$ nmap --script http-headers,http-title scanme.nmap.org
Nmap scan report for scanme.nmap.org (74.207.244.221) 
Host is up (0.096s latency). 
Not shown: 995 closed ports 
PORT     STATE    SERVICE 
22/tcp   open     ssh 
25/tcp   filtered smtp 
80/tcp   open     http 
| http-headers: 
|   Date: Mon, 24 Oct 2011 07:12:09 GMT 
|   Server: Apache/2.2.14 (Ubuntu) 
|   Accept-Ranges: bytes 
|   Vary: Accept-Encoding 
|   Connection: close 
|   Content-Type: text/html 
|   
|_  (Request type: HEAD) 
|_http-title: Go ahead and ScanMe! 
646/tcp  filtered ldp 
9929/tcp open     nping-echo 

Additionally, NSE scripts can be selected by category, expression, or folder:

  • Run all the scripts in the vuln category:

    $ nmap -sV --script vuln <target>
    
  • Run the scripts in the categories version or discovery:

    $ nmap -sV --script="version,discovery" <target>
    
  • Run all the scripts except for the ones in the exploit category:

    $ nmap -sV --script "not exploit" <target>
    
  • Run all HTTP scripts except http-brute and http-slowloris:

    $ nmap -sV --script "(http-*) and not(http-slowloris or http-brute)" <target>
    

To debug scripts use --script-trace. This enables a stack trace of the executed script to help you to debug the session. Remember that sometimes you may need to increase the debugging level with the flag -d[1-9] to get to the bottom of the problem:

$ nmap -sV –-script exploit -d3 --script-trace 192.168.1.1 

NSE script arguments

The flag --script-args is used to set arguments of NSE scripts. For example, if you would like to set the HTTP library argument useragent, you would use:

$ nmap -sV --script http-title --script-args http.useragent="Mozilla 999" <target>

You can also use aliases when setting the arguments for NSE scripts. For example, you could use

$ nmap -p80 --script http-trace --script-args path <target>

Instead of:

$ nmap -p80 --script http-trace --script-args http-trace.path <target>  

Adding new scripts

To test new scripts, you simply need to copy them to your /scripts directory and run the following command to update the script database:

# nmap --script-update-db

NSE script categories

  • auth: This category is for scripts related to user authentication.

  • broadcast: This is a very interesting category of scripts that use broadcast petitions to gather information.

  • brute: This category is for scripts that help conduct brute-force password auditing.

  • default: This category is for scripts that are executed when a script scan is executed (-sC).

  • discovery: This category is for scripts related to host and service discovery.

  • dos: This category is for scripts related to denial of service attacks.

  • exploit: This category is for scripts that exploit security vulnerabilities.

  • external: This category is for scripts that depend on a third-party service.

  • fuzzer: This category is for NSE scripts that are focused on fuzzing.

  • intrusive: This category is for scripts that might crash something or generate a lot of network noise. Scripts that system administrators may consider intrusive belong to this category.

  • malware: This category is for scripts related to malware detection.

  • safe: This category is for scripts that are considered safe in all situations.

  • version: This category is for scripts that are used for advanced versioning.

  • vuln: This category is for scripts related to security vulnerabilities.

See also

  • The Managing different scanning profiles with Zenmap recipe

  • The Monitoring servers remotely with Nmap and Ndiff recipe

  • The Fingerprinting services of a remote host recipe

  • The Finding live hosts in your network recipe

  • The Gathering network information with broadcast scripts recipe in Chapter 2, Network Exploration

  • The Collecting valid e-mail accounts recipe in Chapter 3, Gathering Additional Host Information

  • The Discovering hostnames pointing to the same IP recipe in Chapter 3, Gathering Additional Host Information

  • The Brute forcing DNS records recipe in Chapter 3, Gathering Additional Host Information