• otw

Port Scanning and Recon with nmap, Part 2: The nmap scripts (nse)

Updated: Sep 28

Welcome back, my aspiring cyber warriors!


In my earlier post here at Hackers-Arise, I introduced you to an essential tool in the pentesters/hackers toolbox. Every pentester/hacker must be proficient in the use of nmap.


First introduced by Fyodor in 1998 in Phrack magazine, nmap has been a staple of every hacker/pentester's toolbox for over 20 years. The nmap tool is mature, well-documented, and robust, but the NSE (Nmap Scripting Engine) takes nmap to a whole other level!


NSE transforms the functionality of nmap from a classic, port-scanning tool to a tool capable of vulnerability scanning, network discovery, fuzzing, password cracker and even exploitation. Presently, there are 603 scripts built into Kali but there are new scripts and capabilities being developed almost daily by an active and dedicated open-source community. These scripts are partitioned into a few categories, including;


  1. auth

  2. broadcast

  3. brute

  4. default

  5. discovery

  6. dos (denial of service)

  7. exploit

  8. external

  9. fuzzer

  10. intrusive

  11. malware

  12. safe

  13. version

  14. vuln (vulnerability)

NSE is a fully developed scripting language with scripts utilizing the Lua scripting language.


Basic Syntax


The syntax for using nmap scripts is similar to that of the basic nmap command with the exception of the keyword "--script=". To invoke an NSE, you can use the keyword --script= followed by the name of the script or the category of the script and finally followed by the IP address of the target system such as;


kali > nmap --script vuln 192.168.1.101


This command will run a series of scripts in the "vuln" category and only output data if a vulnerability if found.


Let's take a closer look at nmap scripts (NSE) in our Kali 2020 system.


Step #1: Fire up Kali and Open a terminal


Let's begin by firing up our Kali Linux 2020 and opening a terminal as seen below.




Step #2: Search for NSE Scripts


There are a number of NSE scripts built into our Kali 2020. To find them, we can use the Linux command locate, followed by the wildcard * and then the extension of every nmap scripts ".nse". This should locate all files with that extension which should all include all nmap scripts.


kali > locate *.nse



As you can see there are quite a few nmap scripts. To save the list to a file, simply enter;


kali > locate *.nse >nmapscripts



Then, to see the total number of scripts, simply use the cat command followed by the -n option and the name of the file such as;


kali > cat -n nmapscripts



As you can see, there are 603 nmap scripts installed on Kali Linux 2020. For further information on these scripts, you can refer to the nmap scripts website at;


https://nmap.org/nsedoc/


As you can see below, each script has an explanation of its function on this page.


Step #3: NSE Help


Although there are rudimentary explanations of each script on the nmap web site, if you need more information on a script, you can use the "--script-help=" switch followed by the name of the script or script category. For instance, if I wanted more information on the script category "vuln", I could simply enter;


kali > nmap -scripts-help=vuln



Note above that nmap returns each script in the category with a detailed explanation.


Step #4: Test vuln scripts category against OWASP-BWA Linux Server


Let's try using an entire category of nmap scripts against the OWASP BWA server. With nmap scripts, you can run every script in the category (see the categories above) by simply using the --script switch followed by the name of the category, such as "vuln".


The vuln category includes scripts to test for known vulnerabilities in a target. To run the entire vuln category against our target system, we can simply enter;


kali > nmap --script vuln 192.168.100.102



We can be more specific and look for SQL Injection vulnerabilities by using the "http-sql-injection" script. First, let's take a look at its help screen.


kali > nmap --scripts-help=http-sql-injection


nmap provides a detailed explanation of this script after you hit enter. This help screen explains that this script spiders an HTTP server for URLs vulnerable to SQL injection attack.


Now let's try executing this script against our OWASP BWA server.


kali >nmap --script=http-sql-injection 192.168.1.101


As you can see above, this script located 6 potential SQL injection vulnerabilities in that website.



Step 5: Test Other nmap Scripts within the http Category


Let's try some another script in the 'http' category. What if we were looking for login forms to brute force the username and password? We could find each of these using a script called "http-auth-finder". Let's run it against our OWASP BWA server and see whether it can locate the authentication forms.


kali > nmap --script="http-auth-finder" 192.168.1.101




As you can see above, this script found two forms for authentication to this system. Now that we know where they are, we can use tools such as BurpSuite or THC-Hydra to brute force the authentication.


Step #6: Test nmap scripts against Windows 7 for EternalBlue vulnerability


Next, let's try using nmap scripts against an unpatched Windows 7 Professional system. These unpatched Windows 7 systems are often vulnerable to the EternalBlue exploit developed by the US NSA and released by the Shadowbrokers in 2017.


Let's first take a look at the help screen for the EternalBlue vulnerability scanner script in nmap scripts. We can find it by searching for it by its Microsoft designated vulnerability number "ms17-010" and entering;


kali > locate *.nse | grep ms17-010


Now that we have located the appropriate script for this task, let's view its help screen.


kali > nmap --script-help=smb-vuln-ms17-0101.nse



As you can see above, this script "attempts to detect if a Microsoft SMBv1 server is vulnerable". It also points out that this vulnerability is actively exploited by WannaCry and Petya ransomware. For more information on EternalBlue, click here.


Finally, let's run this script against our Windows 7 system and see whether its vulnerable to this malicious malware.


kali >nmap --script=smb-vuln-ms17-010.nse 192.168.1.103


As you see above, this system is vulnerable! To exploit this vulnerability, you can try the EternalBlue exploit in Metasploit to own this system.


Summary


nmap is a great tool for any pentester/hacker and should be in everyone's toolbox. When the NSE scripts are added to nmap, it becomes a versatile tool for vulnerability testing, fuzzing, brute forcing and even exploitation! With all this capability at the hacker/pentester's fingertips, nmap and nmap scripts can supplant a number of tools in your toolbox.

577 views