Book Image

Mastering the Nmap Scripting Engine

By : Paulino Calderon
Book Image

Mastering the Nmap Scripting Engine

By: Paulino Calderon

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Mastering the Nmap Scripting Engine
Paulino Calderon
Feb, 2015 | 244 pages
No titles found
Table of Contents (23 chapters)
Mastering the Nmap Scripting Engine
Mastering the Nmap Scripting Engine
Credits
Credits
About the Author
About the Author
Acknowledgments
Acknowledgments
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Introduction to the Nmap Scripting Engine
Introduction to the Nmap Scripting Engine
Installing Nmap
Running NSE scripts
Script categories
Scan phases and NSE
Applications of NSE scripts
Setting up a development environment
Adding new scripts
Summary
2
Lua Fundamentals
Lua Fundamentals
Quick notes about Lua
Flow control structures
Data types
String handling
Common data structures
I/O operations
Coroutines
Metatables and metamethods
Summary
3
NSE Data Files
NSE Data Files
Locating your data directory
Data directory search order
Username and password lists used in brute-force attacks
Web application auditing data files
DBMS-auditing data files
Java Debug Wire Protocol data files
Other NSE data files
Other Nmap data files
Summary
4
Exploring the Nmap Scripting Engine API and Libraries
Exploring the Nmap Scripting Engine API and Libraries
Understanding the structure of an NSE script
Exploring environment variables
Accessing the Nmap API
The NSE registry
Writing NSE libraries
Exploring other popular NSE libraries
Summary
5
Enhancing Version Detection
Enhancing Version Detection
Understanding version detection mode in NSE
Writing your own version detection scripts
Examples of version detection scripts
Summary
6
Developing Brute-force Password-auditing Scripts
Developing Brute-force Password-auditing Scripts
Working with the brute NSE library
Reading usernames and password lists with the unpwdb NSE library
Managing user credentials found during scans
Writing an NSE script to launch password-auditing attacks against the MikroTik RouterOS API
Summary
7
Formatting the Script Output
Formatting the Script Output
Output formats and Nmap Scripting Engine
XML structured output
Printing verbosity messages
Including debugging information
The weakness of the grepable format
NSE script output in the HTML report
Summary
8
Working with Network Sockets and Binary Data
Working with Network Sockets and Binary Data
Working with NSE sockets
Understanding advanced network I/O
Manipulating raw packets
Raw packet handling and NSE sockets
Summary
9
Parallelism
Parallelism
Parallelism options in Nmap
Parallelism mechanisms in Lua
Parallelism mechanisms in NSE
Consuming TCP connections with NSE
Summary
10
Vulnerability Detection and Exploitation
Vulnerability Detection and Exploitation
Vulnerability scanning
Reporting vulnerabilities
Summary
Scan Phases
Scan Phases
NSE Script Template
NSE Script Template
Other templates online
Script Categories
Script Categories
Nmap Options Mind Map
Nmap Options Mind Map
References
References
Index
Index

Scan phases and NSE

Nmap scans are divided into several phases but NSE is only involved in three of them: pre-scanning, script scanning, and post-scanning. The execution rule defined by a function in the NSE script determines whether it runs in any of those phases.

Note

To learn more about the phases of Nmap scans, check out Appendix A, Scan Phases.

NSE script rules

NSE scripts can have one of four different types of execution rule:

  • prerule

  • postrule

  • portrule

  • hostrule

Let's review some examples of these different script rules. This will also help you learn to debug scripts for those times when you run into problems:

  • prerule(): The following is a snippet from the targets-sniffer.nse NSE script. It illustrates how we can use a prerule function to check whether Nmap is running in privileged mode and whether it can determine the network interface correctly:

    prerule = function()
  return nmap.is_privileged() and 
    (stdnse.get_script_args("targets-sniffer.iface") or nmap.get_interface())

  • postrule(): The ssh-hostkey script uses a postrule function to detect hosts that share the same SSH public keys:

    postrule = function() return (nmap.registry.sshhostkey ~= nil) end

  • portrule(host, port): The following is a snippet of the portrule function of the jdwp-inject script. This portrule function will match a service detection string and specific port protocol and state:

    portrule = function(host, port)
        -- JDWP will close the port if there is no valid handshake within 2
        -- seconds, Service detection's NULL probe detects it as tcpwrapped.
        return port.service == "tcpwrapped"
               and port.protocol == "tcp" and port.state == "open"
               and not(shortport.port_is_excluded(port.number,port.protocol))
end

  • hostrule(): The sniffer-detect script's host rule determines that the script will only execute with local Ethernet hosts:

    hostrule = function(host)
        if nmap.address_family() ~= 'inet' then
                stdnse.print_debug("%s is IPv4 compatible only.", SCRIPT_NAME)
                return false
        end
        if host.directly_connected == true and
          host.mac_addr ~= nil and
          host.mac_addr_src ~= nil and
          host.interface ~= nil then
                local iface = nmap.get_interface_info(host.interface)
                if iface and iface.link == 'ethernet' then
                      return true
                end
        end
        return false
end
Previous Section
End of Section 5
Next Section