One of the most powerful and flexible features of Nmap NSE script engine
It allows users to write their own scripts to perform automated operations or extend the functions of Nmap, using the lua language
Basic use
NSE provides a rich script library by default, which can provide us with many extensions of Nmap. Its original design intention mainly considers the following aspects:
Network Discovery
Version Reconnaissance
Vulnerability Reconnaissance
Backdoor Reconnaissance
Vulnerability Exploitation
Nmap scripts are mainly divided into the following categories. When scanning, you can set --script=category as needed and perform a more general scan.
auth: Script responsible for processing authentication certificates (bypassing authentication)
broadcast: Exploring more services on the LAN, such as dhcp/dns/sqlserver and other services
brute: providing brute force cracking methods for common applications such as http/snmp Etc.
default: the default script when scanning with the -sC or -A option, providing basic script scanning capabilities
discovery: more information on the network, such as SMB enumeration, SNMP query, etc.
dos: for denial of service attacks
exploit: use Known vulnerabilities to invade the system
external: use third-party databases or resources, such as whois parsing
fuzzer: fuzzing scripts, sending abnormal packets to the target machine, detecting potential vulnerabilities intrusive: intrusive scripts, such scripts may Trigger the IDS/IPS record of the other party or block
malware: Detect whether the target machine is infected with a virus, open the backdoor and other information
safe: this type is contrary to intrusive, belongs to the security script
version: responsible for enhancing the service and version detection (Version Detection) function The script
vuln: Responsible for checking whether the target machine has common vulnerabilities (Vulnerability), such as MS08_067
Basic command line usage
The default category is to scan using the default script, we can use the command line --script=default or use -sC to apply the default scan script, like the following:
nmap -Pn -sC 47.106.80.112
Because NSE scripts are executed in parallel, so we can simultaneously scan multi-parameter, use a comma in the English state , divided
nmap -Pn --script=default,fuzzer,vuln 47.106.80.112
It can also be directly the file name of the lua script or the value of the expression, the same are separated by commas
When multiple parameters are scanned at the same time, script scanning is performed based on the priority sorting of expression>category>file name/folder name
NSE expression
NSE expressions should be wrapped in double quotes to avoid conflict with the shell
For example, four commands like this:
nmap --script "http-*" #可以与开头为 http- 的脚本匹配,例如 http-auth / http-open-proxy
nmap --script "not brute" # 可以与不是 brute 分类下的脚本进行匹配
nmap --script "safe or default" # 等价于 nmap --script safe,default
nmap --script "(default or safe or intrusive) and not http-*" # 与 default/safe/intrusive 匹配但是不匹配任何 http- 开头的脚本
As you can see, the expressions in the NSE script can also use logical operators ( not/or/and ) and parentheses , and the priority can be changed through parentheses
* Can be used as a wildcard, for example, not http-* does not match any script starting with http-
Script parameter usage
You can also pass parameters to the NSE script via --script-args. The structure of the parameter is: name=value , which separates multiple parameter pairs. Neither name nor value should contain the following symbols: { } , =
Give an example of parameter usage:
nmap -sC --script-args'user = foo,pass =“,{} = bar”,paths = {/ admin,/ cgi-bin},xmpp-info.server_name = localhost'
The script parameters are wrapped in single quotes, the above command will generate the following Lua table
nmap.registry.args = {
user=“ foo”,
pass=“,{} = bar”,
paths= {
“ / admin”,
“ / cgi-bin”
},
xmpp-info.server_name =“ localhost”
}
Some complete use cases are as follows:
nmap -sC example.com #使用默认脚本集进行简单的脚本扫描
nmap -sn -sC example.com #没有端口扫描的脚本扫描;只有主机脚本才运行扫描
nmap -Pn -sn -sC example.com #默认所有主机都存活,并且只有主机脚本才运行扫描
nmap --script smb-os-discovery --script-trace example.com #通过脚本跟踪执行特定的脚本
nmap --script snmp-sysdescr --script-args creds.snmp = admin example.com #运行带有脚本参数的单个脚本
For more examples of script usage, you can study the following official documents in depth
Script usage and examples: https://nmap.org/book/nse-usage.html#nse-args
Common service
Let’s start with an example using the FTP service. The first script ftp-anon : FTP anonymous login
The script has a parameter that can be set, maxlist. Used to list the maximum number of file lists when scanning to open ftp ports.
The default value of maxlist is 20, if it is changed to a negative number, the parameter limit can be cancelled; if it is changed to 0, the file will not be listed
Use the example to demonstrate, here I use a host dedicated to open ftp service as a demonstration, you can set the open port locally for practice
nmap -sV --script ftp-anon --script-args ftp-anon.maxlist=20 example.com
You can see that when the target open ftp open port is scanned, the output sample is as follows:
ftp-anon: Anonymous FTP login allowed (FTP code 230)
drwx------ 1 user group 0 Dec 03 09:26 .vscode
drwx------ 1 user group 0 Dec 03 09:26 client_body_temp
drwx------ 1 user group 0 Dec 03 09:11 conf
drwx------ 1 user group 0 Dec 03 09:26 fastcgi_temp
drwx------ 1 user group 0 Dec 03 09:26 logs
drwx------ 1 user group 0 Dec 24 14:40 lua
drwx------ 1 user group 0 Dec 03 09:26 proxy_temp
drwx------ 1 user group 0 Dec 03 09:26 scgi_temp
drwx------ 1 user group 0 Dec 03 09:26 uwsgi_temp
When the target service is successfully scanned, a list of accessible files will be output. It is equivalent to you have already scanned the sensitive information~
Let's take a look at the second one, ftp-bounce : FTP jump attack. This script can check whether the HTTP server allows FTP jump attacks
Similarly, the script also has several parameters that need to be set:
ftp-bounce.password ftp server login password, the default is IEUser@
ftp-bounce.username ftp server login username, the default is anonymous
ftp-bounce.checkhost PORT command connected host, the default is scanme.nmap.org
nmap -sV --script ftp-bounce --script-args ftp-bounce.password=IEUser@,ftp.username=anonymous example.com
When outputting the following content, it means getting feedback:
success:
ORT STATE SERVICE
21/tcp open ftp
|_ftp-bounce: bounce working!
Failure:
PORT STATE SERVICE
21/tcp open ftp
|_ftp-bounce: server forbids bouncing to low ports <1025
Failure:
PORT STATE SERVICE
21/tcp open ftp
|_ftp-bounce: no banner
Let's learn the third script ftp-brute : blasting ftp server authentication. Can be used to blast server authentication information
The script parameters are as follows:
ftp-brute.timeout The longest waiting time for each socket connection, the default is 5 seconds
passdb password dictionary, the default is nselib/data/passwords.lst
userdb username dictionary, the default is nselib/data/usernames.lst
unpwdb.passlimit / unpwdb.userlimit The maximum number of user/password attempts (the default is unlimited)
Not commonly used parameters: creds and brute two libraries (temporarily omitted)
Usage example:
nmap --script ftp-brute -p 21 example.com --script-args passdb=密码文档.txt
The output content is: PORT STATE SERVICE
21/tcp open ftp
| ftp-brute:
| Accounts
| root:root - Valid credentials
| Statistics
| Performed 510 guesses in 610 seconds, average tps: 0
The fourth script: ftp-libopie: CVE-2010-1938 scan Check FTP for the existence of CVE-2010-1938. There are two modules: vuln and instrumentive
The script has optional parameters: vulns.short and vulns.showall, corresponding to the vulns module, these two parameters are optional, the default is OK
Usage example:
nmap -sV -Pn --script ftp-libopie example.com
Generally, after a successful scan, the output will be similar to the following:
PORT STATE SERVICE
21/tcp open ftp
| ftp-libopie:
| VULNERABLE:
| OPIE off-by-one stack overflow
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2010-1938 OSVDB:64949
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Description:
| An off-by-one error in OPIE library 2.4.1-test1 and earlier, allows remote
| attackers to cause a denial of service or possibly execute arbitrary code
| via a long username.
| Disclosure date: 2010-05-27
| References:
| http://osvdb.org/64949
| http://site.pi3.com.pl/adv/libopie-adv.txt
| http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1938
The fifth script: ftp-proftpd-backdoor: OSVDB-ID 69562, mainly used to check the backdoor vulnerability in ProFTPD 1.3.3c
The parameters are: ftp-proftpd-backdoor.cmd, if the scan is successful, execute the command statement, the default is id
Usage example:
nmap --script ftp-proftpd-backdoor -p 21 example.com
Refer to the output content:
PORT STATE SERVICE
21/tcp open ftp
| ftp-proftpd-backdoor:
| This installation has been backdoored.
| Command: id
| Results: uid=0(root) gid=0(wheel) groups=0(wheel)
|_
I have shown you the specific usage of some common scripts, and there are many scanning scripts for different services. You can choose according to your needs:
Common HTTP scripts
Backup file: http-backup-finder
WAF scan:
http-waf-fingerprint
http-waf-detect
Wordpress 相关:
http-wordpress-enum
http-wordpress-users
http-wordpress-brute
CVE vulnerability scan (wildcard expression):
nmap --script "http-vuln-cve*" 127.0.0.1
Proxy scan:
http-open-proxy scan open HTTP proxy
http-proxy-brute
socks-open-proxy scan open socks open proxy
socks-brute
socks-auth-info
others see official documents
Scanning for common vulnerabilities:
ftp-heartbleed : SSL heart bleeding vulnerability detection
smb-vuln-* : SMB service related vulnerabilities
dns-zone-transfer : Check DNS domain transfer vulnerabilities
banner : banner collection