Nmap Scripting Engine (NSE) - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 12: Nmap Scripting Engine (NSE)

Overview

The Nmap Scripting Engine is a powerful tool that allows users to develop custom scripts that can take advantage of Nmap’s advanced scanning functions. These scripts can provide additional information about a target system outside of a typical port scan.

In addition to the ability to write your own custom scripts, there are hundreds of standard built-in scripts that offer some interesting features such as vulnerability detection and exploitation. A complete list of the available NSE scripts can be found online atnmap.org/nsedoc/.

Note: Scripts for NSE are written in the Lua programming language. Unfortunately, programming in Lua is outside the scope of this book. This chapter provides an overview for utilizing the built in scripts. For more information about Lua visit lua.org.

Warning: The NSE uses aggressive scanning techniques that can (in some rare cases) cause undesirable results like system downtime and data loss. Additionally, NSE vulnerability exploitation features could get you into legal trouble if you don’t have permission to scan the target systems.

Summary of features covered in this section:

--script [script]
Execute Individual Scripts

--script [script1,script2,etc]
Execute Multiple Scripts

--script [category]
Execute Scripts by Category

--script [category1, category2]
Execute Multiple Script Categories

--script-help
Show information about a NSE script

--script-trace
Troubleshoot Scripts

--script-updatedb
Update the Script Database

Execute Individual Scripts

The --script argument is used to execute NSE scripts.

Usage syntax: nmap --script [script.nse] [target]

# nmap --script whois-ip.nse scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 12:38 CST

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up (0.31s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

9929/tcp open nping-echo

Host script results:

| whois: Record found at whois.arin.net

| netrange: 74.207.224.0 - 74.207.255.255

| netname: LINODE-US

| orgname: Linode

| orgid: LINOD

| country: US stateprov: NJ

|

| orgtechname: Linode Network Operations

|_orgtechemail: support@***.com

Nmap done: 1 IP address (1 host up) scanned in 4.00 seconds

Executing an NSE script

Script results are displayed under the heading “Host script results”. In the example above, the --script option is used to execute a script called whois-ip.nse. The built-in whois-ip.nse script retrieves information about the public IP address of the specified target from ARIN (American Registry for Internet Numbers).

This is just one of the numerous built-in NSE scripts. Each new Nmap release brings additional scripts and refinements to existing scripts. A complete list of the built-in scripts for Nmap can be found online at nmap.org/nsedoc/.

Note: This NSE script was apparently renamed at some point. Version 6.47 uses whois-ip.nse and older versions of Nmap use whois.nse. Try whois.nse if you receive an error using an older version of Nmap.

Common Scripts

At the time of this writing, there were over 300 NSE scripts listed online at nmap.org/nsedoc/. While all of these scripts are useful, some are more useful than others. The list below describes some of the most useful NSE scripts applicable to everyday situations. You can use this as a starter guide to become familiar with the NSE.

dhcp-discover.nse - Discover information about a DHCP server.

dns-nsid.nse - Display information about a DNS server.

ftp-anon.nse - Check if an FTP server allows anonymous access.

http-errors.nse - Craw a website and list any errors.

http-google-malware.nse - Checks if a given website is on Google's malware blacklist.

http-headers.nse - List the HTTP headers for a webserver.

mysql-info.nse - Display information about MySQL servers.

nbstat.nse - Display NETBIOS information for Windows/Samba systems.

ntp-info.nse - Display information about an NTP server.

smb-os-discovery.nse - Display information about an SMB host.

smtp-commands.nse - Gather information on an SMTP server.

snmp-info.nse - Display information about a system running SNMP.

smtp-open-relay.nse - Test if a server is an open SMTP relay.

whois-ip.nse - Perform a whois lookup on a given IP address.

Tip: To simplify script selection, the NSE allows for executing scripts using wildcards and grouped categories. These tricks are immensely helpful for executing multiple scripts and are discussed next.

Execute Multiple Scripts

The Nmap Scripting Engine supports the ability to run multiple scripts concurrently.

Usage syntax: nmap --script [script1,script2,etc|"expression"] [target]

$ nmap --script "smtp*" 10.10.4.25

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 12:40 CST

Nmap scan report for 10.10.4.25

Host is up (0.00039s latency).

Not shown: 998 closed ports

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

| smtp-brute:

|_ ERROR: Failed to retrieve authentication mechanisms form server

|_smtp-commands: smtp.***.com, PIPELINING, SIZE 20971520, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,

| smtp-enum-users:

| root

| admin

| administrator

| webadmin

| sysadmin

| netadmin

| guest

| user

| web

|_ test

|_smtp-open-relay: Server is an open relay (16/16 tests)

| smtp-vuln-cve2010-4344:

|_ The SMTP server is not Exim: NOT VULNERABLE

Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds

Executing all SMTP scripts

In this example, the asterisks wildcard character is used to execute all scripts that begin with “smtp”. You can also provide a comma-separated list of individual scripts to run using the following syntax: nmap --script script1,script2,etc.

Note: When using wildcards some systems may require the expression to be enclosed in quotes such as “smtp*” or “ftp*”.

Tip: Some NSE scripts accept arguments using the --script-args option. This allows you to specify specific parameters for a script. A complete list of arguments for each script can be found online at nmap.org/nsedoc/.

Execute Scripts by Category

The --script option can also be used to execute multiple scripts based on their category.

Usage syntax: nmap --script [category] [target]

# nmap --script default 10.10.4.46

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 12:43 CST

Nmap scan report for 10.10.4.46

Host is up (0.00018s latency).

Not shown: 978 closed ports

PORT STATE SERVICE

53/tcp open domain

| dns-nsid:

|_ bind.version: Microsoft DNS 6.1.7601 (1DB1565C)

[...]

Host script results:

|_nbstat: NetBIOS name: FS1, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:14:9b:ea (VMware)

| smb-os-discovery:

| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)

| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1

| Computer name: fs1

| NetBIOS computer name: FS1

| Domain name: asdf.local

| Forest name: asdf.local

| FQDN: fs1.asdf.local

| NetBIOS domain name: ASDF

|_ System time: 2015-01-17T12:44:15-06:00

| smb-security-mode:

| Account that was used for smb scripts: guest

| User-level authentication

| SMB Security: Challenge/response passwords supported

|_ Message signing required

|_smbv2-enabled: Server supports SMBv2 protocol

Nmap done: 1 IP address (1 host up) scanned in 7.53 seconds

Executing all scripts in the default category

Note: A complete list of categories is provided on the next page.

By specifying a category with the --script option, Nmap will execute every script in the specified category. In the example above, the results of the scripts in the default category are displayed under the “Host script results” heading. Additional scripts related to open ports are shown directly under their scan results, such as DNS in the above example.

Tip: The -sC option is a shortcut for --script default that will execute all of the NSE scripts in the default category.

Script Categories

The NSE --script option supports executing multiple scripts based on category. Each category is a group of related scripts that simplifies script selection. The list below describes the available NSE categories:

all
Runs all available NSE scripts

auth
Scripts related to authentication

default
Runs a basic set of default scripts

discovery
Attempts to discover in depth information about a target

external
Scripts that contact external sources (such as the whois database)

intrusive
Scripts which may be considered intrusive by the target system

malware
Scripts that check for open backdoors and malware

safe
Basic scripts that are not intrusive

vuln
Checks target for commonly exploited vulnerabilities

Using script categories is the easiest way to launch NSE built-in scripts − unless you know the specific script you want to run. Executing scripts by category, however, can take longer to complete since each category contains numerous scripts.

Tip: A complete list of the NSE scripts in each category can be found online at nmap.org/nsedoc/.

Execute Multiple Script Categories

Multiple script categories can be executed concurrently using one of the following syntax:

nmap --script category1,category2,etc

Specifying multiple script categories as a comma-separated list will execute all scripts in the defined categories. For example, executing nmap --script malware,vuln would run all scripts in the malware and vulnerabilities categories.

nmap --script "category1 and category2"

NSE scripts can belong to more than one category. The “and” operator can be used to take advantage of this by executing all scripts that belong to both of the specified categories. For example, nmap --script "default and safe" would only execute scripts that belong to both the default and safe categories.

nmap --script "category1 or category2"

The “or” operator can be used to run scripts that belong to either of the specified categories. For example, nmap --script "default or safe" would execute all scripts that belong to either the default or safe categories.

nmap --script "not category"

The “not” operator is used to exclude scripts that belong to the specified category. For example, executing nmap --script "not intrusive" would run all scripts that do not belong to the intrusive category.

Show Script Help Files

The --script-help option can be used to display helpful information about a script.

Usage syntax: nmap --script-help [script]

# nmap --script-help whois-ip.nse

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-27 04:16 CST

whois-ip

Categories: discovery external safe

http://nmap.org/nsedoc/scripts/whois-ip.html

Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

[...]

Displaying NSE script help

In this example, the --script-help option is used to show a summary of helpful information about the whois-ip.nse script’s purpose. This can be handy in situations where you don’t have internet access to read the official NSE documentation online.

Tip: You can also read the help summary for scripts by specifying a category as the argument to --script-help. For example, executing “nmap --script-help default | more” would show the help information for all files in the default category.

Troubleshoot Scripts

The --script-trace option is used to trace NSE scripts.

Usage syntax: nmap --script [script(s)] --script-trace [target]

# nmap --script default --script-trace 10.10.4.1 | more

NSOCK INFO [4.1:22] (timeout: 30000ms) EID 282

NSOCK INFO [1.9310s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 282 [10.10.4.1:22] (1648 bytes)

NSOCK INFO [1.9310s] nsi_new2(): nsi_new (IOD #7)

NSOCK INFO [1.9310s] nsock_connect_tcp(): TCP connection requested to

[...]

NSE: TCP 10.10.4.25:48682 > 10.10.4.1:22 | CLOSE

NSE: TCP 10.10.4.25:48683 > 10.10.4.1:22 | CONNECT

NSE: TCP 10.10.4.25:48683 < 10.10.4.1:22 | SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2

[...]

NSE trace output

The --script-trace option displays all information sent and received by the NSE and is useful for troubleshooting problems related to scripts.

Some scripts can generate hundreds of lines of output when using the script trace option. In most cases, it is better to redirect the output to a file for later review. The example below demonstrates how to do this.

# nmap --script default 10.10.4.1 --script-trace > trace.txt

Redirecting the output of an NSE trace

The resulting trace.txt file will contain all of the trace data and can be viewed in a standard text editor.

Update the Script Database

The --script-updatedb option is used to update the script database.

Usage syntax: nmap --script-updatedb

# nmap --script-updatedb

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 12:50 CST

NSE: Updating rule database.

NSE: Script Database updated successfully.

Nmap done: 0 IP addresses (0 hosts up) scanned in 0.99 seconds

Updating the NSE script database

Nmap maintains a database of scripts that is used to facilitate the option of executing multiple scripts via category. Most Unix-like systems store scripts in the /usr/share/nmap/scripts/ directory. Windows systems store these files in C:\Program Files\Nmap\scripts. If you add or remove scripts from the scripts directory you must run nmap --script-updatedb to apply the changes to the script database.