Nmap Script and Version Scan – POFTUT

Nmap Script and Version Scan

by

[rps-include post=6632]

Nmap provides script scanning which gives nmap very flexible behavior to get more information and test about the target host. This feature is called Nmap Scripting Engine (NSE). NSE gives user the ability to write scripts for test. Lua is programming language supported by NSE. NSE have some vulnerability detection scripts too.

NSE have categories to make things tidy.  Here are these categories

  • auth is used to authentication related scripts like x11-access, ftp-anon etc.
  • broadcast script used to get new targets not listed in target parameter
  • brute is used to brute forcing scripts like http-brute, snmp-brute
  • default is some common script used for script scan
  • discovery gives ability to determine targets information like html-title, snmp-sysdescr
  • dos scripts used to test some Denial Of Service attacks
  • exploit category scripts will try to exploit some vulnerabilities
  • external is used to get some information from 3 party databases like whois
  • fuzzer category scripts gives ability to fuzz some parts of the network packets
  • intrusive  category provides scripts those not safe because there is a risk to crash target
  • malware scripts is used to scan target if the target have all ready installed malware
  • safe category provides scripts those have no destructive effect on the target
  • version category provides scripts to determine version like -sV
  • vuln scripts will check for specific known vulnerabilities like realvnc-auth-bypass

Now some action is required to gain experience about NSE

Enable Script Scan

To use different category scripts in the nmap script NSE should be enable for script scan with -sC . This will by default enable default category scripts for the target

$ nmap -sC localhost
Enable Script Scan
Enable Script Scan

List Of Available NSE Scripts

Now we want to use specific script for our scan but first we should list and get information about these script Nmap have a web page where all scripts are listed.

LEARN MORE  How To Install Gns3 To Fedora?

https://nmap.org/nsedoc/

List Of Available NSE Scripts
List Of Available NSE Scripts

To get details information we click mysql-info script as an example.

NSE script detailed information
NSE script detailed information

Here we can see that mysql-info script is part of default, discovery and safe  categories and there is a summary about the script and sample of useage

These scripts can be found in local system directory /usr/share/nmap/nselib/

List Of Available NSE Scripts
List Of Available NSE Scripts

Run Specific Script

By default default category scripts are fired while nmap scan but if we want to run specific script we can specify the script name or category name like below.

$ nmap -sC --script mysql-info localhost
Run Specific Script
Run Specific Script

As we see only our specified script is fired.

Run Specific Category Script

We can specify the whole scripts in a category the same as script by providing category name. Be aware that my system is a test system so I specify dangerous categories. In this example we run intrusive category scripts.

$ nmap --script "auth" localhost
Run Specific Category Script
Run Specific Category Script

Exclude Script Category

While specifying script category we can specify a category to exclude like below.

$ nmap --script "not intrusive" localhost
Exclude Script Category
Exclude Script Category

Specify Multiple Categories

Multiple categories can be specified like below.

$ nmap --script "default or auth" localhost
Specify Multiple Categories
Specify Multiple Categories

Provide Script Arguments

Some scripts need arguments to work. Arguments can be provided like below.

$ nmap -p 3306 localhost --script mysql-audit --script-args "mysql-audit.username='root', \ 
  mysql-audit.password='123456',mysql-audit.filename='nselib/data/mysql-cis.audit'"

Here we provides 3 arguments;

  • mysql-audit.username will provide username for database
  • mysql-audit.password will provide password for database
  • mysql-audit.filename is audit rule file path for  this script

Provide Scripts Arguments From File

Providing scripts arguments can be done from terminal but how can we accomplish providing script arguments from file because we may want to run nmap as batch process. First we will create file which holds arguments and their values. File named nmap-arg and looks like below.

mysql-audit.username='root' , mysql-audit.password='123456' , mysql-audit.filename='nselib/data/mysql-cis.audit'
$ nmap localhost --script-args-file ./nmap-arg
Provide Scripts Arguments From File
Provide Scripts Arguments From File

Get Script Help

We have looked how to get information about scripts from web above. But we may not accessibility to the web page always or it may not a practical way for us. Here we will get help from command line about a NSE script.

$ nmap --script-help=mysql-audit
Get Script Help
Get Script Help

Get Script Category Help

Getting help about script category is the same as single script help.

$ nmap --script-help=default
Get Script Category Help
Get Script Category Help

Debug Scripts

Some times we can not be sure if things go as we expected. We can get more verbose output about scripts by debugging them while running like below.

$ nmap -sC --script-trace localhost
Debug Scripts
Debug Scripts

[rps-include post=6632]

LEARN MORE  Introduction To Nmap Network Scanning

Leave a Comment