Nmap 6:Network exploration and security auditing Cookbook
上QQ阅读APP看书,第一时间看更新

Running NSE scripts

NSE scripts are very powerful and have become one of Nmap's main strengths, performing tasks from advanced version detection to vulnerability exploitation.

The following recipe describes how to run NSE scripts, and the different options available for this engine.

How to do it...

To include the title of the index document of a web server in your scan results, open your terminal and type the following command:

$ nmap -sV --script http-title scanme.nmap.org 
How to do it...

How it works...

The argument --script sets which NSE scripts should be run with the scan. In this case, when the service scan detects the web server, a parallel thread is initialized for the selected NSE script.

There are more than 230 scripts available, which perform a wide variety of tasks. The NSE script http-title returns the title of the root document if a web server is detected.

There's more...

You can run multiple scripts at once:

$ nmap --script http-headers,http-title scanme.nmap.org
Nmap scan report for scanme.nmap.org (74.207.244.221) 
Host is up (0.096s latency). 
Not shown: 995 closed ports 
PORT STATE SERVICE 
22/tcp open ssh 
25/tcp filtered smtp 
80/tcp open http 
| http-headers: 
| Date: Mon, 24 Oct 2011 07:12:09 GMT 
| Server: Apache/2.2.14 (Ubuntu) 
| Accept-Ranges: bytes 
| Vary: Accept-Encoding 
| Connection: close 
| Content-Type: text/html 
| 
|_ (Request type: HEAD) 
|_http-title: Go ahead and ScanMe! 
646/tcp filtered ldp 
9929/tcp open nping-echo 

Additionally, NSE scripts can be selected by category, expression, or folder:

  • Run all the scripts in the vuln category:
    $ nmap -sV --script vuln <target>
    
  • Run the scripts in the categories version or discovery:
    $ nmap -sV --script="version,discovery" <target>
    
  • Run all the scripts except for the ones in the exploit category:
    $ nmap -sV --script "not exploit" <target>
    
  • Run all HTTP scripts except http-brute and http-slowloris:
    $ nmap -sV --script "(http-*) and not(http-slowloris or http-brute)" <target>
    

To debug scripts use --script-trace. This enables a stack trace of the executed script to help you to debug the session. Remember that sometimes you may need to increase the debugging level with the flag -d[1-9] to get to the bottom of the problem:

$ nmap -sV –-script exploit -d3 --script-trace 192.168.1.1 

NSE script arguments

The flag --script-args is used to set arguments of NSE scripts. For example, if you would like to set the HTTP library argument useragent, you would use:

$ nmap -sV --script http-title --script-args http.useragent="Mozilla 999" <target>

You can also use aliases when setting the arguments for NSE scripts. For example, you could use

$ nmap -p80 --script http-trace --script-args path <target>

Instead of:

$ nmap -p80 --script http-trace --script-args http-trace.path <target> 

Adding new scripts

To test new scripts, you simply need to copy them to your /scripts directory and run the following command to update the script database:

# nmap --script-update-db

NSE script categories

  • auth: This category is for scripts related to user authentication.
  • broadcast: This is a very interesting category of scripts that use broadcast petitions to gather information.
  • brute: This category is for scripts that help conduct brute-force password auditing.
  • default: This category is for scripts that are executed when a script scan is executed (-sC).
  • discovery: This category is for scripts related to host and service discovery.
  • dos: This category is for scripts related to denial of service attacks.
  • exploit: This category is for scripts that exploit security vulnerabilities.
  • external: This category is for scripts that depend on a third-party service.
  • fuzzer: This category is for NSE scripts that are focused on fuzzing.
  • intrusive: This category is for scripts that might crash something or generate a lot of network noise. Scripts that system administrators may consider intrusive belong to this category.
  • malware: This category is for scripts related to malware detection.
  • safe: This category is for scripts that are considered safe in all situations.
  • version: This category is for scripts that are used for advanced versioning.
  • vuln: This category is for scripts related to security vulnerabilities.

See also

  • The Managing different scanning profiles with Zenmap recipe
  • The Monitoring servers remotely with Nmap and Ndiff recipe
  • The Fingerprinting services of a remote host recipe
  • The Finding live hosts in your network recipe
  • The Gathering network information with broadcast scripts recipe in Chapter 2, Network Exploration
  • The Collecting valid e-mail accounts recipe in Chapter 3, Gathering Additional Host Information
  • The Discovering hostnames pointing to the same IP recipe in Chapter 3, Gathering Additional Host Information
  • The Brute forcing DNS records recipe in Chapter 3, Gathering Additional Host Information