Nmap provides script scanning which gives nmap very flexible behavior to get more information and test about the target host. This feature is called Nmap Scripting Engine (NSE). NSE gives user the ability to write scripts for test. Lua is programming language supported by NSE. NSE have some vulnerability detection scripts too.
NSE have categories to make things tidy. Here are these categories
- auth is used to authentication related scripts like x11-access, ftp-anon etc.
- broadcast script used to get new targets not listed in target parameter
- brute is used to brute forcing scripts like http-brute, snmp-brute
- default is some common script used for script scan
- discovery gives ability to determine targets information like html-title, snmp-sysdescr
- dos scripts used to test some Denial Of Service attacks
- exploit category scripts will try to exploit some vulnerabilities
- external is used to get some information from 3 party databases like whois
- fuzzer category scripts gives ability to fuzz some parts of the network packets
- intrusive category provides scripts those not safe because there is a risk to crash target
- malware scripts is used to scan target if the target have all ready installed malware
- safe category provides scripts those have no destructive effect on the target
- version category provides scripts to determine version like -sV
- vuln scripts will check for specific known vulnerabilities like realvnc-auth-bypass
Now some action is required to gain experience about NSE
Enable Script Scan
To use different category scripts in the nmap script NSE should be enable for script scan with -sC . This will by default enable default category scripts for the target
$ nmap -sC localhost
List Of Available NSE Scripts
Now we want to use specific script for our scan but first we should list and get information about these script Nmap have a web page where all scripts are listed.
To get details information we click mysql-info script as an example.
Here we can see that mysql-info script is part of default, discovery and safe categories and there is a summary about the script and sample of useage
These scripts can be found in local system directory /usr/share/nmap/nselib/
Run Specific Script
By default default category scripts are fired while nmap scan but if we want to run specific script we can specify the script name or category name like below.
$ nmap -sC --script mysql-info localhost
As we see only our specified script is fired.
Run Specific Category Script
We can specify the whole scripts in a category the same as script by providing category name. Be aware that my system is a test system so I specify dangerous categories. In this example we run intrusive category scripts.
$ nmap --script "auth" localhost
Exclude Script Category
While specifying script category we can specify a category to exclude like below.
$ nmap --script "not intrusive" localhost
Specify Multiple Categories
Multiple categories can be specified like below.
$ nmap --script "default or auth" localhost
Provide Script Arguments
Some scripts need arguments to work. Arguments can be provided like below.
$ nmap -p 3306 localhost --script mysql-audit --script-args "mysql-audit.username='root', \ mysql-audit.password='123456',mysql-audit.filename='nselib/data/mysql-cis.audit'"
Here we provides 3 arguments;
- mysql-audit.username will provide username for database
- mysql-audit.password will provide password for database
- mysql-audit.filename is audit rule file path for this script
Provide Scripts Arguments From File
Providing scripts arguments can be done from terminal but how can we accomplish providing script arguments from file because we may want to run nmap as batch process. First we will create file which holds arguments and their values. File named nmap-arg and looks like below.
mysql-audit.username='root' , mysql-audit.password='123456' , mysql-audit.filename='nselib/data/mysql-cis.audit'
$ nmap localhost --script-args-file ./nmap-arg
Get Script Help
We have looked how to get information about scripts from web above. But we may not accessibility to the web page always or it may not a practical way for us. Here we will get help from command line about a NSE script.
$ nmap --script-help=mysql-audit
Get Script Category Help
Getting help about script category is the same as single script help.
$ nmap --script-help=default
Some times we can not be sure if things go as we expected. We can get more verbose output about scripts by debugging them while running like below.
$ nmap -sC --script-trace localhost